The breach was discovered on Dec. 8 and involved a computer running an application that is used for collecting delinquent child support payments from noncustodial parents in the state. The "bank match" application is used to run quarterly matches of names with nine financial institutions in the state to establish whether delinquent parents have assets that can be used to pay off their child support obligations.

Each quarter, the state sends all nine financial institutions a list including names, Social Security numbers and bank or credit union account information for people who are behind on child support payments. If names from the list match the names of account holders, the institutions are required by state law to transmit that information -- using encryption -- back to the AHS.

The AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. "The original design called for the computer to store the data. That will no longer happen." According to Tringe, the NEFCU on two occasions -- in July 2004 and again in October 2005 -- sent over encrypted files via a communication method not used by the state. That resulted in a larger-than-required file of information being received by, and stored, on the compromised AHS server, she said.

John Dwyer, president of the NEFCU, said the agency on those two occasions used an "all accounts" method for transferring data instead of the "matched accounts" method used in Vermont. It was only on those two occasions that this sort of data transfer happened, he said.

"We were never informed of the error," Dwyer said. "If we had been, we certainly would've corrected it."