[BreachExchange] Kansas Data Breach Exposes More Than 5 Million Social Security Numbers

[Audrey McNeil]

http://www.ibtimes.com/kansas-data-breach-exposes-more-5-
million-social-security-numbers-2569024

A database operated by the Kansas Department of Commerce was breached by
hackers, resulting in the exposure of more than 5.5 million Social Security
numbers of American citizens across 10 states, the Kansas News Service
reported.

The breach was discovered after an open records request was filed by the
Kansas News Service—a collaboration of KCUR, Kansas Public Radio, KMUW and
High Plains Public Radio. The Kansas Department of Commerce did not
previously publicly report the incident.

Data from the breach came from websites designed to help members of the
public seeking employment find jobs. The sites, including Kansasworks.com,
were operated by America’s Job Link Alliance-TS, a division of the Kansas
Department of Commerce, and managed data for 16 states at the time of the
hack.

The breach included more than 5.5 million user accounts with Social
Security numbers included and another 805,000 that did not contain Social
Security numbers but did expose other personal information.

The largest number of exposed Social Security numbers came from residents
of Alabama, with 1.3 million in total from the state. More than half a
million Social Security numbers were also exposed from residents of
Arizona, Illinois, Arkansas and Kansas. Residents of Oklahoma, Maine,
Delaware, Vermont and Idaho were also included in the breach.

America’s Job Link Alliance-TS first discovered the breach on March 12 and
reported it to the FBI on March 15. While the impact of the hack on
residents of Kansas was reported on in May, the extent of the breach,
including its affect on residents of other states was not disclosed until
the public records request made by the Kansas News Service was fulfilled on
July 19.

The Department of Commerce sent 260,000 emails to victims of the hack in
May. If the department didn’t have an email on file for the person, it did
not contact them as Kansas law doesn’t require notification via mail or
telephone.

In response to the hack, Kansas agreed to pay for up to one year of credit
monitoring services for victims in nine of the 10 affected states. Victims
in Delaware will receive three years of the services due to contractual
obligations to that state. The response exceeds what is required by Kansas
state law, according to a state spokesperson.

The state’s Department of Commerce has been operating under interim
Secretary Nick Jordan since January when former Commerce Secretary Antonio
Soave resigned from the post —though the Kansas Department of Commerce
website still lists Soave as holding the position.

Word of the breach comes in the wake of Kansas Secretary of State Kris
Kobach’s request of voter rolls from all 50 states as part of the Trump
administration’s Commission on Election Integrity. Many states denied the
request, citing concerns over privacy protections for their residents. Some
state voter rolls include Social Security numbers and other identifying
information.

Kobach and Kansas interim Secretary of Commerce Jordan were both named in a
lawsuit filed by the American Civil Liberties Union last year that charged
the state illegally blocked voters from obtaining a driver’s license in an
effort to prevent them from voting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170721/3e5e5ede/attachment.html>