Hacker made off with over 5.5M Social Security numbers

When a Kansas Department of Commerce data system was breached back in March, a hacker accessed more than 5,561,803 Social Security numbers from 10 states, as well as personally identifiable information (PII) from another 805,664 user accounts without SSNs. In total, 6,367,467 users’ information was exposed to the hacker. Those numbers were obtained by the Kansas News Service via an open records request.

Have you ever looked for a job via the online portal America’s Job Link Alliance (AJLA)? You might better recognize it under other names; Kansasworks.com is just one example. Workforce services in various states had contracts with the Kansas database contractor AJLA-TS (America’s Job Link Alliance Technical Support). Did you know AJLA says it retains the PII of job seekers unless specifically asked for it to be deleted? If you found a job via AJLA, then it might be wise to ask for your data to be deleted.

AJLA-TS admitted in a press release in March that a malicious third-party “hacker” exploited a vulnerability in the AJL code and was able to access millions of users’ information.

The actual hack occurred in February, but it wasn’t discovered until March. AJLA admitted, “On February 20, 2017, a hacker created a job seeker account in an America’s JobLink (AJL) system. The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers.” The code misconfiguration had been hanging around since October 2016.

The suspicious activity was discovered on March 12 and eliminated on March 14; the FBI was contacted on March 15.

The PII exposed included users’ names, Social Security numbers, dates of birth and so forth. Kansas was managing the data for 16 states at the time of the hack, but it claimed the following 10 states were affected: Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont.

The numbers of victims’ SSNs first reported to be affected by the AJLA-TS hack don’t match up exactly with affected users’ SSNs that were obtained by the Kansas News Service. The real numbers of affected individuals are slightly lower:

• Alabama: 1,393,109 SSNs exposed
• Arkansas: 597,374 SSNs exposed
• Arizona: 896,370 SSNs exposed
• Delaware: 236,134 SSNs exposed
• Idaho: 170,517 SSNs exposed
• Illinois: 807,450 SSNs exposed
• Kansas: 563,568 SSNs exposed
• Maine: 283,449 SSNs exposed
• Oklahoma: 430,679 SSNs exposed
• Vermont: 183,153 SSNs exposed
• “Across these 10 states, another 805,664 user accounts without SSNs were also affected.”

Although AJLA is required to ask users for SSNs, not everyone provides it. Most likely enter it because they believe it is required.

In May, Kansas Department of Commerce sent about 260,000 emails to Kansas’ 563,568 victims. KCUR said the rest were not contacted because the department claimed it didn’t have email addresses for all affected users and it is not required by law to call or send snail mail to victims.

Kansas agreed to pay for a year of credit monitoring services for affected victims in nine states; users in Delaware are eligible for three years of credit monitoring services.

You don’t have long to take advantage of the offer as KCUR reported, “The call center for victims, which can be reached at (844) 469-3939, will remain open through the end of this month.”

That leaves affected users about a week to take action.