Skip the navigation

Vermont agency warns 70,000 of possible data compromise

Social Security numbers and other information may have been exposed

January 30, 2007 12:00 PM ET

Computerworld - The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data.

The breach was discovered on Dec. 8 and involved a computer running an application that is used for collecting delinquent child support payments from noncustodial parents in the state. The "bank match" application is used to run quarterly matches of names with nine financial institutions in the state to establish whether delinquent parents have assets that can be used to pay off their child support obligations.

Each quarter, the state sends all nine financial institutions a list including names, Social Security numbers and bank or credit union account information for people who are behind on child support payments. If names from the list match the names of account holders, the institutions are required by state law to transmit that information -- using encryption -- back to the AHS.

But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen."

Not all of the personal data on the compromised computer belonged to people who were behind on their child care payments. Tringe said information about more than 58,000 customers of the New England Federal Credit Union ended up on the server because the Williston, Vt.-based NEFCU mistakenly sent more information than required to the AHS.

According to Tringe, the NEFCU on two occasions -- in July 2004 and again in October 2005 -- sent over encrypted files via a communication method not used by the state. That resulted in a larger-than-required file of information being received by, and stored on, the compromised AHS server, she said.

John Dwyer, president of the NEFCU, said the agency on those two occasions used an "all accounts" method for transferring data instead of the "matched accounts" method used by the Vermont agency. It was only on those two occasions that this sort of data transfer happened, he said.

"We were never informed of the error," Dwyer said. "If we had been, we certainly would've corrected it."

The 58,000 names represent nearly all of the NEFCU's members at that time. "We've grown bigger since then," Dwyer said.

The Windows-based system that was broken into at AHS appears to have been the target of an automated attack and not a directed one, Tringe said. "It looked like the system had been infected by several bots," which were then used to store various files on the computer -- including a copy of the TV show Bones, she said.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!