The hackers, who attacked one of www.RI.gov's portal servers on Dec. 28, also gained access to the partial credit card numbers of another 52,000 people, although those cardholders are not considered to be at risk of fraud, according to the site.
The Providence (R.I) Journal reported that the hackers are believed to be Russian because they boasted about the attacks on a Russian-language website.
So far, none of the stolen account information has been used inappropriately, although the site suggests all people who made credit card payments on the site between Dec. 31, 2004 and March 8, 2005 – the transaction dates affected by the breach – request credit monitoring.
Breach notification will be sent to the 4,117 cardholders whose full numbers were revealed to the hackers, the site said.
www.RI.gov – managed by New England Interactive on behalf of the state - said it learned of the incident on the day it occurred and promptly notified authorities and banks. However, last Thursday, officials again contacted those agencies to inform them the breach was larger than originally suspected.
Since the breach, the site has been "locked down" to prevent more intrusions, RI.gov said. Additionally, an outside security firm has been hired to analyze and test the site for further vulnerabilities. The portal no longer will contain full credit numbers.
Rhode Island residents can use the site to purchase renewals for their cars, buy marine and fishing licenses and register new businesses. As an audit continues, the site currently is not accepting credit card payments.
The incident, combined with the New Years Eve theft of 365,000 patient records from the car of an employee of Portland, Ore.-based Providence Home Services, presents a gloomy forecast for this year, security information firm SecurityFocus said Tuesday.
"The incidents suggest that 2006 will not be much different than 2005, which saw more than 50 million sensitive data records leaked by online breaches and stolen backup tapes," SecurityFocus said. MasterCard International and Bank of America were sources of two of the breaches.
In the Providence Home Services case, the information has not been used for identity theft, according to the health service provider's website.