Mandiant has closed the vulnerability that led to the intrusion and has finished installing surveillance and monitoring tools across the department, the statement added.

The breach is easily the biggest involving Social Security Numbers this year. The previous biggest loss of SSNs this year happened when hackers believed to be operating out of East Europe in March and accessed closed to 280,000 SSNs and close to 500,000 other records involving less sensitive personal data.

In that incident, hackers were able to gain access to the system by exploiting a default password on the user authentication layer of the system. The attackers were able to bypass multiple network, perimeter and application level security controls to gain access to the data. The incident prompted the resignation of Utah's CTO, a couple of months later.

It's too soon to say what kind of fallout this breach will have, especially considering the fact that the SSNs appear to have been stored in unencrypted fashion.

Security experts have long advocated the use of encryption to protect SSNs and other sensitive data and some states such as Massachusetts even mandate it. The fact that this basic precaution appears not to have been taken in this case could expose the state to potential lawsuits as well.