Millions of social security numbers accessed in Kansas agency data breach

Ccleaner

In today’s always-connected world, it’s impossible to do much business without entering your personal information in one computer system or another. That means that private data, often including social security numbers, is only safe as long as all of those systems remain secure — and even state government systems aren’t always safe. If you’ve been looking for a job via a Kansas Department of Commerce employment service, then you’re suddenly well aware of how it feels to see hackers steal your private data when there’s nothing you can do about it.

The news comes via KCUR, which as a member of the Kansas News Service requested and received information on a recent hack of a system operated by America’s Job Link Alliance-TS (AJLA-TS), a division of the Kansas Department of Commerce. The service allows people to post résumés and conduct job searches at sites like Kansasworks.com, and it also manages data for a total of 16 states including Kansas.

A total of almost 6.5 million records were hacked, and of those, 5.5 million from 10 states included social security numbers (SSNs), one of the most sensitive data types to which a hacker can gain access. According to the records obtained by the Kansas News Service, about half a million of the hacked accounts with SSNs were held by individuals located in Kansas.

The following states were affected:

  • Arkansas: 597,734 SSNs
  • Arizona: 896,370 SSNs
  • Delaware: 236,134 SSNs
  • Idaho: 170,517 SSNs
  • Kansas: 563,568 SSNs
  • Maine: 283,449 SSNs
  • Oklahoma: 430,679 SSNs
  • Vermont: 183,153 SSNs
  • Alabama: 1,393,109 SSNs
  • Illinois: 807,450 SSNs

The breach was first suspected on March 12, 2017 and then verified on March 14. The FBI was notified of the breach on March 15, and since then AJLA-TS has been soliciting assistance from a variety of third-party IT forensic analysis companies. The good news is that the exploit used by the hackers to gain access to the accounts has been identified and fixed and the affected accounts precisely identified.

The state of Kansas is now paying three firms at least $235,000 for various services through the end of 2017. The costs of the breach will also rise significantly as the state will also pay for a year of credit monitoring for most of the victims, specifically those located in nine of the 10 states with victims affected by the breach. Victims in Delaware will receive three years of credit monitoring service due to contractual obligations.

So far, the Kansas Department of Commerce has sent 260,000 emails informing victims of the breach, but many hundreds of thousands have not yet been notified due to a lack of email addresses. Because Kansas law does not stipulate regular mail or telephone notification, it’s unclear if other victims will be notified. If you fear that your data might have been compromised, then you can contact a call center established for victims at 844-469-3939.