Kansas System Hack Accessed Millions Of Social Security Numbers


- Advertisement -

By Celia Llopis-Jepsen for the Kansas News Service

Hackers who breached a Kansas Department of Commerce data system used by multiple states gained access to more than 5.5 million Social Security Numbers and put the agency on the hook to pay for credit monitoring services for all victims.

The number of SSNs exposed across the 10 states whose data was accessed has not been previously reported. The Kansas News Service, a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio, obtained the information through an open records request.

More than half a million of the SSNs were from Kansas, according to the Department of Commerce.

The data is from websites that help connect people to jobs, such as, where members of the public seeking employment can post their resumes and search job openings. Kansas was managing data for 16 states at the time of the hack, but not all were affected.

In addition to the 5.5 million personal user accounts that included SSNs, about 805,000 more accounts that did not contain SSNs were also exposed.

America’s Job Link Alliance-TS, the Kansas Department of Commerce division that operates the system, discovered suspicious activity on March 12, isolated it on March 14 and contacted the FBI the next day, according to testimony provided by agency officials to Kansas lawmakers this spring.

AJLA-TS officials also sought help from a third-party IT company specializing in forensic analysis. That analysis helped them verify that the coding error the hackers exploited had been fixed and to identify precisely which user accounts had been breached.

The Kansas News Service filed its open records request on May 24 seeking details about the extent of the breach and contracts related to the state’s response. The Department of Commerce fulfilled the request on July 19.

The documents show that the agency and AJLA-TS contracted with three private companies in the aftermath of the breach:

Epiq, of Kansas City, Kan., to provide a call center for victims seeking information about the incident and Equifax credit monitoring services.
Shook, Hardy and Bacon, a Kansas City, Mo. law firm, for “professional investigative, legal and compliance services.”

SHI, a New Jersey-based IT company, for “rapid deployment” incident response.
The state is paying the law firm $175,000 for services that run through Dec. 31, 2017. The IT contract cost approximately $60,000.

Number of SSNs affected in the AJLA-TS hack- Click to enlarge

The cost of the Epiq contract isn’t known because the agency redacted pricing information from the documents it released. David Soffer, a spokesperson for the department, said Epiq considers the cost information proprietary.

Testimony to lawmakers indicates AJLA-TS contracted with a fourth company in April, Texas-based Denim Group, to review code and provide feedback for improvements, which has since been implemented. The agency didn’t provide documents related to this contract in fulfilling the open records request.

Kansas will pay for up to a year of credit monitoring services for victims in nine of the 10 affected states. Victims residing in Delaware are eligible for three years of services because of contractual obligations to that state, Soffer said.

Agency officials have not yet responded to questions about whether insurance will cover some of the state’s costs.

The call center for victims, which can be reached at (844) 469-3939, will remain open through the end of this month, Soffer said.

The Department of Commerce said in May that this is the first known breach of AJLA-TS’ databases. AJLA-TS’ response to the hack – providing credit-monitoring services – exceeds what is required by Kansas state law, a department spokeswoman said at the time.

The head of a California-based advocacy group, Privacy Rights Clearinghouse, told The Topeka Capital-Journal in May that one year of credit monitoring is not sufficient protection for victims of the hack, which also exposed names and birth dates, among other personal information.

The Capital-Journal also reported that hundreds of thousands of the Kansas victims may not be aware their accounts were breached.

The Department of Commerce said in May it had sent about 260,000 emails to victims, but added that it did not have email addresses for all users. Kansas law does not require notification to the victims via post or telephone, the department said.

When a recent theft from a Washington State University unit that handles data for state agencies on a contract basis exposed the personal information of 1 million people, the university notified victims by post.

That breach also included SSNs. Like Kansas, Washington State offered victims one year of free credit monitoring.

- Advertisement -
Derek Nester
Derek Nester
Derek Nester was born and raised in Blue Rapids and graduated from Valley Heights High School in 2000. He attended Cowley College in Arkansas City and Johnson County Community College in Overland Park studying Journalism & Media Communications. In 2002 Derek joined Taylor Communications, Inc. in Salina, Kansas working in digital media for 550 AM KFRM and 100.9 FM KCLY. Following that stop, he joined Dierking Communications, Inc. stations KNDY AM & FM as a board operator and fill-in sports play-by-play announcer. Starting in 2005 Derek joined the Kansas City Chiefs Radio Network as a Studio Coordinator at 101 The Fox in Kansas City, a role he would serve for 15 years culminating in the Super Bowl LIV Championship game broadcast. In 2021 he moved to Audacy, formerly known as Entercom Communications, Inc. and 106.5 The Wolf and 610 Sports Radio, the new flagship stations of the Kansas City Chiefs Radio Network, the largest radio network in the NFL. Through all of this, Derek continues to serve as the Digital Media Director for Sunflower State Radio, the digital and social media operations of Dierking Communications, Inc. and the 6 radio stations it owns and operates across Kansas.

Share post:

- Advertisement -

Related Headlines

- Advertisement -

Most Viewed

From Sunflower State Radio

Jayhawks Move to 5-0 With Dramatic Win Over Cyclones

Via Kansas Athletics LAWRENCE, Kan. – Behind second-quarter touchdowns from...

Fourth Quarter Surge Pushes Wildcats Over Raiders

Via K-State Athletics MANHATTAN, Kan. - Adrian Martinez earlier in...

KNDY Area High School Football Scores – 9/30/2022

NORTH CENTRAL KANSAS LEAGUE Concordia 38, Hiawatha 12 Rock Creek 56,...

Marshall County Commission Meeting Minutes – 9/26/2022

The Board of Marshall County Commissioners met in regular...