Hackers broke into the official Rhode Island state government Website, www.ri.gov late last monthand stole 4,117 credit card numbers, according to New EnglandInteractive Inc. (NEI), the company that manages the site. NEI is asubsidiary of Olathe, Kan.-based e-government provider NIC Inc.
quot;We discovered the breach on Dec. 28,” said NIC spokesman ChrisNeff. “It was due to an error in a line of software code that ourlocal office in Rhode Island that manages the state’s portal [NEI]had written. So we immediately closed that breach, fixed that errorand initiated a deeper investigation, including a follow-upsecurity scan of the entire site.”
According to Neff, NEI at first thought that only eight creditcards had been compromised. “We immediately contacted the RhodeIsland CIO and the Secret Service and the credit card-issuingcompanies to flag those accounts so they could be monitored forpossible fraudulent activity,” Neff said.
After further analysis, however, NEI discovered that 4,117 creditcard numbers were actually involved. “At that point, we wentthrough the notification process again with the Rhode Island CIO,Secret Service [and the] credit card companies,” he said. “Nowwe’re collaborating with the state, the credit card companies [and]the Secret Service working on several solutions. We’re workingtoward contacting those card holders and working toward providingsome additional services to them [like] credit monitoring andcredit rehabilitation for people who were harmed … as a result ofthis. And we’re working with the state on the security — they’vehired an external security firm, we have done the same, to assessthe state’s security measures and ensure that everything is up topar going forward.”
According to a statement from NIC Monday, the stolen credit cardnumbers were used in transactions with government agencies betweenDec. 31, 2004, and March 8, 2005. NIC recommended that anyone whoused credit card information on the Rhode Island Web site contacttheir credit card companies and request that their accounts bemonitored for fraudulent activity.
A check of the state site indicates that consumers can conduct avariety of transactions online using a credit card, includingrenewing fishing and boating licenses, obtaining driving recordsand renewing vehicle registrations that have been temporarilysuspended.
NIC realized that more than eight credit cards might have beencompromised last week, when it learned of information on aRussian-language Web site that appeared to discuss the hacking. NEIworked to cross-reference details on the Russian site againstinformation it already had and on Thursday notified NIC, the stateCIO, law enforcement officials and credit card companies thatadditional credit cards were involved in the hacking. That’s whenthe company found that 4,117 credit card numbers had been stolen.
“NIC takes security matters very seriously,” Harry Herington, chiefoperating officer of NIC, said in the statement. “We takeresponsibility for this incident and acted immediately to correctthe breach upon discovering it. We will continue to work with RhodeIsland state officials, law enforcement and the credit cardcompanies to resolve this issue.”
But in a letter to Augusta, Maine-based NEI, attorneys for thestate indicated that Rhode Island officials learned of the breachonly last week.
“[NEI] has so far provided incomplete and conflicting responses tothe state’s efforts to obtain accurate information regarding thesize, nature and reason [of the breach]. This is unacceptable andhas unnecessarily led to confusion and concern among users of theRI.gov Web site,” said James DeGraw, an attorney at Boston-basedRopes & Gray LLP.
The state called on NEI to do the following:
– Immediately stop processing credit card transactions through theRI.gov Web site until state officials are sure the site is secure.
– Hire an outside security consultant to determine whether thereare any other vulnerabilities in the site or in NEI’s data-handlingprocedures and immediately correct them.
– Identify all consumers whose credit card or other personal datamay have been compromised.
– Establish a way for those consumers to find out whether theirdata was compromised and provide a comprehensive credit cardreplacement, credit monitoring and credit rehabilitation program toanyone affected.
Neff said NIC is now drafting a written response to the state’sdemands and plans to comply with all of the demands.
A spokesman for Rhode Island’s governor could not be reached forcomment.