Hackers who infiltrated a Kansas Department of Commerce data system were able to access around 5.5 million Social Security Numbers of people across 10 US states in a massive data breach in March. The Kansas News Service, which obtained the information from the agency through an open records request, reported that the breach also exposed another 805,000 accounts that did not contain Social Security Numbers.
While more than half a million of the SSNs were from Kansas residents, other states affected by the breach include Illinois, Arizona, Vermont, Oklahoma, Maine, Arizona, Idaho, Arkansas, Delaware, Alabama.
The suspicious activity was detected by America's Job Link Alliance-TS, a division within the Kansas Department of Commerce that operates the system, on 11 March and isolated on 14 March. The agency said it informed the FBI the next day.
The department also contacted a third-party IT company to verify that the coding error that was exploited by hackers in the attack had been patched and helped identify the user accounts affected by the breach.
The Kansas News Service filed its open records request on 24 May, which the commerce department fulfilled on 19 July.
The compromised data came from websites such as Kansasworks.com where users find jobs, post resumes and search job openings. At the time of the breach, the department was managing data for 16 states. However, not all states were affected by the attack.
While the impact of the breach on Kansas residents was first reported in May, the extent of the attack including its impact on millions of people in other states had not been previously reported.
Kansas will have to pay for up to a year of credit monitoring services for victims in nine out of the 10 affected states. Due to contractual obligations with Delaware, state residents affected by the breach will be eligible for three years of services.
In May, the Department of Commerce said it had sent 260,000 emails to victims affected by the breach. However, it noted that it did not have the email addresses of all the users affected. Kansas state law does not require notification via mail or telephone.
IBTimes UK has reached out to the Kansas Department of Commerce for comment.