"We discovered the breach on Dec. 28," said NIC spokesman Chris Neff. "It was due to an error in a line of software code that our local office in Rhode Island that manages the state's portal [NEI] had written. So we immediately closed that breach, fixed that error and initiated a deeper investigation, including a follow-up security scan of the entire site."
According to Neff, NEI at first thought that only eight credit cards had been compromised. "We immediately contacted the Rhode Island CIO and the Secret Service and the credit card-issuing companies to flag those accounts so they could be monitored for possible fraudulent activity," Neff said.
After further analysis, however, NEI discovered that 4,117 credit card numbers were actually involved. "At that point, we went through the notification process again with the Rhode Island CIO, Secret Service [and the] credit card companies," he said. "Now we're collaborating with the state, the credit card companies [and] the Secret Service working on several solutions. We're working toward contacting those card holders and working toward providing some additional services to them [like] credit monitoring and credit rehabilitation for people who were harmed ... as a result of this. And we're working with the state on the security -- they've hired an external security firm, we have done the same, to assess the state's security measures and ensure that everything is up to par going forward."
According to a statement from NIC Monday, the stolen credit card numbers were used in transactions with government agencies between Dec. 31, 2004, and March 8, 2005. NIC recommended that anyone who used credit card information on the Rhode Island Web site contact their credit card companies and request that their accounts be monitored for fraudulent activity.
A check of the state site indicates that consumers can conduct a variety of transactions online using a credit card, including renewing fishing and boating licenses, obtaining driving records and renewing vehicle registrations that have been temporarily suspended.
NIC realized that more than eight credit cards might have been compromised last week, when it learned of information on a Russian-language Web site that appeared to discuss the hacking. NEI worked to cross-reference details on the Russian site against information it already had and on Thursday notified NIC, the state CIO, law enforcement officials and credit card companies that additional credit cards were involved in the hacking. That's when the company found that 4,117 credit card numbers had been stolen.
"NIC takes security matters very seriously," Harry Herington, chief operating officer of NIC, said in the statement. "We take responsibility for this incident and acted immediately to correct the breach upon discovering it. We will continue to work with Rhode Island state officials, law enforcement and the credit card companies to resolve this issue."
But in a letter to Augusta, Maine-based NEI, attorneys for the state indicated that Rhode Island officials learned of the breach only last week.
"[NEI] has so far provided incomplete and conflicting responses to the state's efforts to obtain accurate information regarding the size, nature and reason [of the breach]. This is unacceptable and has unnecessarily led to confusion and concern among users of the RI.gov Web site," said James DeGraw, an attorney at Boston-based Ropes & Gray LLP.
The state called on NEI to do the following:
- Immediately stop processing credit card transactions through the RI.gov Web site until state officials are sure the site is secure.
- Hire an outside security consultant to determine whether there are any other vulnerabilities in the site or in NEI's data-handling procedures and immediately correct them.
- Identify all consumers whose credit card or other personal data may have been compromised.
- Establish a way for those consumers to find out whether their data was compromised and provide a comprehensive credit card replacement, credit monitoring and credit rehabilitation program to anyone affected.
Neff said NIC is now drafting a written response to the state's demands and plans to comply with all of the demands.
A spokesman for Rhode Island's governor could not be reached for comment.