State computer hacked, thousands at risk

January 29, 2007

Associated Press

A state computer containing the names, Social Security Numbers and bank account information for 70,000 Vermonters has been hacked into in an automated computer attack that puts their personal information at risk for misuse, the state said Monday.

Human Services Secretary Cynthia LaWare said there is no indication the information has been used illicitly, but she said it was possible.

The state is planning to send letters to the affected individuals Tuesday and Wednesday urging them to monitor their bank accounts. It is also offering to pay for credit monitoring.

The Human Services computer was used as a tool to track noncustodial parents who owe back child support. The state and a number of banks exchanged financial information on the computer, which was taken out of service in early December after technicians discovered what they thought was a computer virus.

It remains off-line, officials said.

About 12,000 of the affected individuals owed back child support. The rest of the names _ about 58,800 people _ were supplied to the state by the New England Federal Credit Union, which shared customer information with the understanding that only the data on child support debtors would be used.

New England Federal CEO David Bard said his organization shared information with the state quarterly, as required by law. Usually, the credit union will only provide the state with information about people known to owe back child support.

But on two occasions, once in 2004 and once in 2005, the credit union supplied the state with 58,800 names and information, almost the entire membership of the Williston-based credit union. The state is then supposed to look in that list for people who owe child support. It is acceptable under federal rules, but more than is required by the state, Bard said.

"We have a number of people who are going to be very frustrated and unsettled by this breech," Bard said. "This never should have happened."

LaWare said the state kept the information on the computer even though it wasn't needed.

"We retained that information," LaWare said. "Once we received that information, the state has a responsibility to protect that information."

Customers from eight additional banks and credit unions, representing about 2,800 individuals, were also affected, the state said. They are: the Central Vermont Public Service Employees Credit Union; First Brandon National Bank; Federal Family Credit Union, Granite Hills Credit Union, Merchants Bank, Northfield Savings Bank, Opportunities Credit Union and the Vermont State Employees Credit Union, the state said.

Bard said the Credit Union would do its utmost to help protect those whose information may have been taken.

"Right now, we have 58,000 (members) who have been victimized by this breech. We will put all the resources we have on providing the support" they need.

Thomas Murray, commissioner of the Department of Information and Innovation, said the situation was similar to one in which someone breaks into a file room, but there is no indication if any of the files were looked at.

Murray said there were indications the attacks came from Australia, New Zealand and China, but the origin cannot be determined. The state's computer was being used so it could relay video or be used for other purposes by a remote user such as to launch a denial of service attack; an episode of the television show "Bones" was found on the machine.

"It was an automated attack, which I think is critically important, and not a targeted attack by an individual," LaWare said.

"They are trying to access the computer for the storage," LaWare said.

The revelation marks the third time in recent months that state officials have had to answer for computer-related security breaches with the potential to aid identity thieves:

_In December, the names and Social Security numbers of hundreds of health care providers were posted on the Internet in a state contractor's mistake. The data was included in a state request for bids from companies that might want to take over administering health claims for 22,000 state employees, retirees and dependents. It was later stricken from the Internet after being publicized.

_ Earlier this month, The AP reported that an unknown number of Uniform Commercial Code filings containing individuals' Social Security numbers had been posted to a Web site hosted by the Vermont Secretary of State's office. The office responded by breaking the links from its Web site to the photographic images of the documents.

main page ATTRITION feedback