Social security hackers
© Thomas Samson / AFP
A security breach in the Kansas Department of Commerce has exposed millions of Social Security numbers from people across 10 states to hackers. Many other accounts were also attacked.

Identifying information of millions of people in Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Maine, Oklahoma and Vermont are in the hands of hackers, according to an open records request by a collaboration of sources through the Kansas News Company.

The open records request was made by the Kansas News Service on May 24, and Wednesday, the commerce department fulfilled the request.

Specifically, the hacked data was from websites that help people find jobs, such as KansasWorks.com. At the time of the breach, Kansas had been holding data from 16 states, but not every state had their information exposed.

Suspicious activity was first discovered by America's Job Link Alliance-TS, which is the commerce department division that operates the system. By March 14, it was isolated and the FBI was notified the next day, according to testimony from agency officials to the legislature earlier this year.

Following the hack, a third party IT company was called to handle and fix the situation as well as to identify the victims.

The commerce department also contracted with three other private companies to help the victims and to contribute to IT support, while also providing legal services.

One such company was a law firm which the state is paying $175,000. The state will also pay $60,000 to an IT support company. The payment to the third contracted party was not reported by the department.

A fourth company, Denim Group, was also identified in testimony to lawmakers. The Texas-based company was contacted in April in order to provide advice to review code and also to suggest improvements which has now been implemented.

The state will be supporting victims with as much as a year of credit monitoring that will be paid for.

Also, because of contractual obligations in Delaware, residents from that state are eligible for three years of services.

The agency claimed in May that this was the first known breach of data from the AJLA-TS database.

They also said that the contractors exceeded requirements set out by Kansas law with their response.

The commerce department did, however, say that 260,000 emails were sent out to the victims, but it couldn't reach everyone who was affected because they didn't have every single person's email address. Notification by telephone or post is not required under Kansas state law, according to the department.