Hackers broke into the official Rhode Island state government website, www.ri.gov, late last year and stole 4,117 credit card numbers, according to New England Interactive (NEI), the company that manages the site. NEI is a subsidiary of e-government provider NIC.
"We discovered the breach on December 28," NIC spokesman Chris Neff says. "It was due to an error in a line of software code that our local office in Rhode Island — which manages the state's portal — had written. So we immediately closed that breach, fixed that error and initiated a deeper investigation, including a follow-up security scan of the entire site."
According to Neff, NEI at first thought that only eight credit cards had been compromised. "We immediately contacted the Rhode Island CIO and the Secret Service and the credit card-issuing companies to flag those accounts so they could be monitored for possible fraudulent activity," Neff says.
After further analysis, however, NEI discovered that 4,117 credit card numbers were actually involved. "At that point, we went through the notification process again with the Rhode Island CIO, Secret Service [and the] credit card companies," he says. "Now we're collaborating with the state, the credit card companies [and] the Secret Service working on several solutions. We're working towards contacting those card holders and towards providing some additional services to them [like] credit monitoring and credit rehabilitation for people who were harmed ... as a result of this. And we're working with the state on the security — they've hired an external security firm, we have done the same, to assess the state's security measures and ensure that everything is up to par going forward."
According to a statement from NIC on January 23, the stolen credit card numbers were used in transactions with government agencies between December 31, 2004, and March 8, 2005.
A check of the state site indicates that consumers can conduct a variety of transactions online using a credit card, including renewing fishing and boating licenses, obtaining driving records and renewing vehicle registrations that have been temporarily suspended.
NIC realised that more than eight credit cards might have been compromised last week, when it learned of information on a Russian-language website that appeared to discuss the hacking. NEI worked to cross-reference details on the Russian site against information it already had and on January 26 notified NIC, the state CIO, law enforcement officials and credit card companies that additional credit cards were involved in the hacking. That's when the company found that 4,117 credit card numbers had been stolen.
"NIC takes security matters very seriously," Harry Herington, chief operating officer of NIC, said in the statement. "We take responsibility for this incident and acted immediately to correct the breach upon discovering it. We will continue to work with Rhode Island state officials, law enforcement and the credit card companies to resolve this issue."
However, in a letter to NEI, lawyers for the state indicated that Rhode Island officials learned of the breach only last week.
"[NEI] has so far provided incomplete and conflicting responses to the state's efforts to obtain accurate information regarding the size, nature and reason [of the breach]. This is unacceptable and has unnecessarily led to confusion and concern among users of the Rhode Island government website," says James DeGraw, an attorney at law firm Ropes & Gray.
The state called on NEI to do the following:
- Immediately stop processing credit card transactions through the RI.gov site until state officials are sure the site is secure.
- Hire an outside security consultant to determine whether there are any other vulnerabilities in the site or in NEI's data-handling procedures and immediately correct them.
- Identify all consumers whose credit card or other personal data may have been compromised.
- Establish a way for those consumers to find out whether their data was compromised and provide a comprehensive credit card replacement, credit monitoring and credit rehabilitation program to anyone affected.
Neff says NIC is now drafting a written response to the state's demands and plans to comply with all of the demands.
A spokesman for Rhode Island's governor could not be reached for comment.