The breach was discovered on Dec. 8 and involved a computer running an application that is used for collecting delinquent child support payments from noncustodial parents in the state. The "bank match" application is used to run quarterly matches of names with nine financial institutions in the state to establish whether delinquent parents have assets that can be used to pay off their child support obligations.
Each quarter, the state sends all nine financial institutions a list including names, Social Security numbers and bank or credit union account information for people who are behind on child support payments. If names from the list match the names of account holders, the institutions are required by state law to transmit that information -- using encryption -- back to the AHS.
The AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. "The original design called for the computer to store the data. That will no longer happen." According to Tringe, the NEFCU on two occasions -- in July 2004 and again in October 2005 -- sent over encrypted files via a communication method not used by the state. That resulted in a larger-than-required file of information being received by, and stored, on the compromised AHS server, she said.
John Dwyer, president of the NEFCU, said the agency on those two occasions used an "all accounts" method for transferring data instead of the "matched accounts" method used in Vermont. It was only on those two occasions that this sort of data transfer happened, he said.
"We were never informed of the error," Dwyer said. "If we had been, we certainly would've corrected it."
The 58,000 names represent nearly all of the NEFCU's members at that time. "We've grown bigger since then," Dwyer said.
The Windows-based system that was broken into at AHS appears to have been the target of an automated attack and not a directed one, Tringe said. "It looked like the system had been infected by several bots," which were then used to store various files on the computer -- including a copy of the TV show Bones, she said.
The compromise was detected when the agency's IT staff noticed several of its computers being pinged by the breached server, she said. According to Tringe, the compromised server had been fully patched with all Microsoft Corp. security updates.
"Our initial exams showed no evidence to indicate that any personally identifiable or financial information had been accessed," she said. But since there is no way of confirming that, the state decided to alert individuals of the potential compromise of their data, she said.
Letters are being sent to account holders at the following nine institutions: Central Vermont Public Service Employees Credit Union, First Brandon National Bank, Federal Family Credit Union, Granite Hills CU, Merchants Bank, New England Federal Credit Union, Northfield Savings Bank, Opportunities Credit Union and the Vermont State Employees Credit Union.