Skip to main content

Kansas Database Hack Exposed 5.5 Million SSNs

Governments around the world are managing ever-increasing amounts of data. This is supposed to allow for more effective governance, but it also puts the personal information of millions of people at risk. Case in point: The hacking of a Kansas data system exposed the Social Security numbers (SSNs) of 5.5 million people from 10 states; data from another 805,000 people who didn't share their SSNs was also compromised.

The Kansas News Service revealed those figures after filing an open records request with the Kansas Department of Commerce. According to the report, the hacked system was used by people in 16 states to find jobs. (Not all of the states were affected by the hack.) Now millions of people who used those websites could have their identities stolen, their personal information auctioned, or their safety endangered by the hackers.

This is the second time in the last few weeks that we've heard about governmental mismanagement of sensitive information. In June, the UpGuard security firm revealed that "names, dates of birth, home addresses, phone numbers, and voter registration details" about 198 million registered voters was exposed by three data companies hired by the Republican National Committee (RNC) during the 2016 presidential election.

UpGuard explained in its report that we're likely to see problems like this in the future:

The fundamental problems which exposed this data are not rare, uncommon, or consigned to one side of the partisan divide; indeed, while those responsible for this exposure are of one party, the 198 million Americans affected span the entire political spectrum, their information revealed regardless of their political beliefs. The same factors that have resulted in thousands of previous data breaches—forgotten databases, third-party vendor risks, inappropriate permissions—combined with the RNC campaign operation to create a nearly unprecedented data breach. [...] Despite the breadth of this breach, it will doubtlessly be topped in the future—to a likely far more damaging effect—if the ethos of cyber resilience across all platforms does not become the common language of all internet-facing systems.

The breach in Kansas wasn't as severe as the incident from June, and the Kansas News Service reported that the exploited vulnerability was addressed shortly after it was revealed. Yet the episode still highlights the risks of providing sensitive information to anyone, regardless of whether they're in the public or private sectors, and of entrusting any one system with highly valuable information about millions of people.

Those dangers will only become more pronounced as governments collect more data about their citizens. In December 2016, for example, we wrote about the risks associated with government agencies collecting biometric information. Many companies have turned to biometrics as password replacements--despite the well-known risks associated with doing so--and allowing governments to access that data could undermine their security. Collecting that information will make government systems more attractive hacking targets, which in turn puts your data at risk.

The Kansas Department of Commerce is offering one year of free credit monitoring to people affected by the hack. The agency is said to have contacted some affected people via email, but it doesn't have email addresses for every user, and the Kansas News Service said it hasn't attempted to reach people via phone or snail mail. You can find out if you were affected by the hack by calling (844) 469-3939.