Millions of victims of a data hack that targeted a Kansas state agency in possession of Social Security numbers were not informed of the breach directly, according to information obtained through an open records request.
The Kansas Department of Commerce says it only had valid email addresses for about 2.5 million of the more than 6 million job seeker accounts that were exposed. It sent notices to those addresses and further spread word of the hack through news releases and other public messages.
“We are confident our agency fulfilled all legal requirements of Kansas and the other member states on how to ensure those affected were lawfully and properly contacted,” spokesman Kevin Doel said.
Information technology staff discovered the hack in March. It affected job seekers across 10 states, including nearly 600,000 in Kansas. More than 5.5 million of the accounts contained Social Security numbers.
A unit within the Kansas Department of Commerce called America’s Job Link Alliance-Technical Support had been managing the data for the Kansasworks.com website, which connects job seekers with opportunities, and for similar sites in the other states. The other websites are for Arkansas, Arizona, Delaware, Idaho, Maine, Oklahoma, Vermont, Alabama and Illinois.
The hack came just months after Kansas legislative auditors released the conclusions of a three-year check into IT security at 20 state agencies, excluding the Department of Commerce. The auditors flagged concerns at most of the agencies, including IT weaknesses that posed a risk for data breaches.
Kansas offered victims of the AJLA-TS attack credit monitoring through Equifax, which itself recently became the victim of a hack.
Cost to taxpayers
It remains unclear what the data breach will cost Kansas taxpayers in total.
Records indicate the state contracted with a law firm for $175,000 and an IT firm for $60,000 to help deal with the aftermath.
But the Department of Commerce redacted pricing information from its contract with Epiq, the company it hired to email victims, operate a call center for them and supply Equifax services. The arrangement is ongoing. The Commerce Department said Thursday it had paid about $800,000 to Epiq as of the end of last month.
In an email, Epiq instructed the Commerce Department to redact the pricing information from its contract.
The Kansas News Service obtained records related to the hack through open records requests. The Commerce Department took eight weeks to provide records fulfilling parts of one request and five weeks to provide any records related to the second request. It took 13 weeks from the original Kansas News Service request for the Epiq contract for the agency to cite any provisions of statute for redacting pricing.
Mike Kautsch, a University of Kansas law professor and former dean of the KU School of Journalism, said Kansas’ open records act requires public agencies to provide documents within three business days or give a “detailed explanation” for the delay and specify the earliest date the records will be available, which the agency didn’t do. The statute also requires agencies to cite specific legal provisions for any redactions within three days of a request for that information.
“In my opinion, they’re already in violation of the law,” he said. “The burden is really on them to comply.”
On Friday, officials from the Commerce Department and AJLA-TS will update Kansas lawmakers on security steps taken since the hack. The conversation with a joint panel of senators and representatives will be partly or wholly closed to the public.
Doel of the Commerce Department said Thursday the agency is confident in the measures it has taken to prevent future breaches.
“Although no system is invulnerable,” Doel said, “yes, areas of potential risk were determined during the assessment process and those areas have been properly remediated.”
Derby Republican Rep. Blake Carpenter chairs the legislative panel, which has been examining IT security at the Commerce Department and other Kansas agencies.
“I want to make sure that the information of Kansas citizens is protected,” Carpenter said. “Especially if the government has that information and people are trusting us.”
Rep. Brandon Whipple, a Wichita Democrat, said the panel needs to go beyond pointing fingers and work on ensuring sensitive information is adequately guarded.
“The conversation has to be about what went wrong and shifting right into how we make sure this never happens again,” he said.
Whipple said the goal is to pinpoint and address why some agencies have better security than others. “We need to figure out — how do we make all of them good at this?” he said.
Sen. Dinah Sykes, a Lenexa Republican, said the state needs a proactive approach to protecting its data. “It seems like it’s been an afterthought in Kansas,” she said.
Celia Llopis-Jepsen is a reporter for the Kansas News Service, a collaboration of KMUW, Kansas Public Radio and KCUR covering health, education and politics. You can reach her on Twitter @Celia_LJ.