SALT LAKE CITY — Gov. Gary Herbert called for an independent audit of all state technology security efforts and data storage procedures Wednesday.
The move comes after the most extensive data breach in state history, one that exposed more than 700,000 Utahns to potential identity theft and could end up costing the state millions of dollars.
"It is tragic that not only data was breached, but now individual trust is also compromised," Herbert said in a statement. The state is "doing everything" it can to restore security. "Now we must do everything we can to restore trust," herbert said.
Personal information for more than 700,000 people was stolen from a health department server, potentially 255,000 Social Security numbers taken, as well as names, birthdates and addresses from another 500,000 victims.
University of Utah professor Matt Might, who provides computer security expertise to institutions like the defense department, called the hacking "monumental," and avoidable.
"I think it was. It looks to me (like) deploying a server with poor password management is simply unacceptable and on top of that, there was no second line of defense," Might said. "It looks like the data wasn't encrypted once they were through. So not only was there no first line of defense, once they got it, they basically got everything."
The global market for pilfered personal information is roughly $50 billion, Might said. He estimates Eastern European hackers could make $25 million from the stolen Utah information.
"It looks like what these hackers are going to do is take these identities and resell them in bulk for probably $100, $150 per identity," he said.
"There's a criminal element out there that's constantly trying to get onto the state's servers," said Utah Department of Health spokesperson Tom Hudachko. "In fact, Technology Services fights off about a million attacks a day."
Hudachko said the state is sending a letter to those whose Social Security numbers were compromised, offering to pay for a year of free credit monitoring, something that could end up costing up to $4.5 million.
"Looking at $18.35 per person, up to possibly 255,000 people, it could be a substantial cost," he said. Hudachko said the one-year credit monitoring is standard for this type of problem.
Best advice: People should stay alert for the signs of identity theft, like accounts they didn't open and debts on them they can't explain.
Victims should place a fraud alert on credit reports and file a complaint with the Federal Trade Commission.
"I think we're going to want to monitor your credit report vigilantly for at least a couple of years and honestly probably for the rest of your life," Might said. "Whether or not your data has been stolen, it's probably going to get stolen at some point in the future and you have to stay on top of these things."
The governor's statement said outside firms will be hired to conduct a full-scale independent review.
The state has activated a new information hotline where people can get more information. The toll-free number is available in English and Spanish and has the capacity to handle increased call volumes. The number is 1-855-238-3339.