Kansas Database Hack Exposed 5.5 Million SSNs

Governments around the world are managing ever-increasing amounts of data. This is supposed to allow for more effective governance, but it also puts the personal information of millions of people at risk. Case in point: The hacking of a Kansas data system exposed the Social Security numbers (SSNs) of 5.5 million people from 10 states; data from another 805,000 people who didn't share their SSNs was also compromised.

The Kansas News Service revealed those figures after filing an open records request with the Kansas Department of Commerce. According to the report, the hacked system was used by people in 16 states to find jobs. (Not all of the states were affected by the hack.) Now millions of people who used those websites could have their identities stolen, their personal information auctioned, or their safety endangered by the hackers.

This is the second time in the last few weeks that we've heard about governmental mismanagement of sensitive information. In June, the UpGuard security firm revealed that "names, dates of birth, home addresses, phone numbers, and voter registration details" about 198 million registered voters was exposed by three data companies hired by the Republican National Committee (RNC) during the 2016 presidential election.

UpGuard explained in its report that we're likely to see problems like this in the future:

The fundamental problems which exposed this data are not rare, uncommon, or consigned to one side of the partisan divide; indeed, while those responsible for this exposure are of one party, the 198 million Americans affected span the entire political spectrum, their information revealed regardless of their political beliefs. The same factors that have resulted in thousands of previous data breaches—forgotten databases, third-party vendor risks, inappropriate permissions—combined with the RNC campaign operation to create a nearly unprecedented data breach. [...] Despite the breadth of this breach, it will doubtlessly be topped in the future—to a likely far more damaging effect—if the ethos of cyber resilience across all platforms does not become the common language of all internet-facing systems.

The breach in Kansas wasn't as severe as the incident from June, and the Kansas News Service reported that the exploited vulnerability was addressed shortly after it was revealed. Yet the episode still highlights the risks of providing sensitive information to anyone, regardless of whether they're in the public or private sectors, and of entrusting any one system with highly valuable information about millions of people.

Those dangers will only become more pronounced as governments collect more data about their citizens. In December 2016, for example, we wrote about the risks associated with government agencies collecting biometric information. Many companies have turned to biometrics as password replacements--despite the well-known risks associated with doing so--and allowing governments to access that data could undermine their security. Collecting that information will make government systems more attractive hacking targets, which in turn puts your data at risk.

The Kansas Department of Commerce is offering one year of free credit monitoring to people affected by the hack. The agency is said to have contacted some affected people via email, but it doesn't have email addresses for every user, and the Kansas News Service said it hasn't attempted to reach people via phone or snail mail. You can find out if you were affected by the hack by calling (844) 469-3939.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • PC-Cobbler
    As someone who fell afoul of one of the many breaches, I can tell you that the one year of credit monitoring goes no further. If you are a victim of identity theft, you are on your own. If you decide to place a credit freeze on your accounts with the four (yes, four) major credit agencies, you will pay $10 each time you temporarily remove it so a creditor can verify your credit.

    As for companies and the government using biometric data, refuse to give it, because you can always change a password, but you cannot change your fingerprints or eyeballs. And since there is no serious penalty for breaches, your biometric data will be stolen eventually.
  • dark_lord69
    "5.5 million people from 10 states"
    and those states are!!!????
    You've gotta be kidding.

    I used your extra links to dig and find out I'm NOT at risk.
    Arkansas 597,374
    Arizona 896,370
    Delaware 236,134
    Idaho 170,517
    Kansas 563,568
    Maine 283,449
    Oklahoma 430,679
    Vermont 183,153
    Alabama 1,393,109
    Illinois 807,450
  • hellwig
    Man, Trump really wants those voter details.

    The government is run by people, and people are arrogant, stupid, and fallible. But oh, if you don't trust the government you're paranoid or an anarchist.

    Reminds me of when a U.S. Census auditor lost a laptop with hundreds of thousands of people's surveys on it (unencrypted). And they wonder why some people are violently opposed to giving their information to said auditors.
  • EDIE_1
    I am 100 years old. Take me back to the days when you had the huge rotary dial phones, everything was handled on paper, computers didn't exist, I never ever locked the doors to my car or house unless I went on vacation, there was a hell of lot less crime, people actually respected police & they were eager to help you out, Doctors made house calls & his staff took pride in getting facts of your illness correctly documented, when people actually went to restaurants & sat down, ate & spoke to one another instead of each person staring at their dumbphone. Yes, we've come a long way, just in the wrong direction!