During a joint press conference Thursday, federal and state officials said this was the largest security breach at the Department of Workforce Services and were working to re-instate the public's trust.
"It is a particularly gross crime," said U.S. Attorney for Utah Brett Tolman.
Authorities unsealed indictments against four individuals, including one state employee.
Charged were Joshua Smith, 32, of Murray; Michelle Chapman, 29, of Murray; John Johnstun, 44, or Midvale and Laura Bustamante, 34, of Midvale.
Authorities said Bustamante had worked on and off with the DWS as early as 2000 and recently had worked as an eligibility specialist, taking applications from Utah residents applying for food stamps, financial aid, child care programs including CHIP and Medicaid.
Deputy DWS Director Christopher Love said Bustamante had access to a database containing personal information from as many as 1,775 individuals, including addresses, Social Security numbers and images of bank statements.
Tolman said an investigation showed less than 100 accounts were used to take out credit cards by the group. According to the indictment, Bustamante would forward to her friends personal information from a DWS database via phone or text. The group would then apply for credit cards using the stolen information. Tolman said on a few occasions the group charged as much as $10,000 to $12,000.
According to the Secret Service, the ID theft began in September of last year. A report of a stolen car last January, in addition to a tip called in to DWS, sparked the investigation. A search at a downtown hotel room where Chapman and Smith were staying yielded a fake state ID card and several credit cards in the name of DWS customers.
Love said Bustamante was immediately placed on administrative leave upon receipt of the tip and she was later terminated.
DWS officials said they were doing everything they could to help victims sort out their credit. Love said the department has sent letters to all DWS customers who were at risk and have contacted known victims by phone. The department has also set up a security support line to help them take steps to minimize the impact of the ID theft. The Utah Attorney General's Office has also established a Web site where customers can obtain free credit reports and learn how to identify potential fraudulent charges.
Love also said DWS is taking steps to review its security policies and has also installed an internal tip hotline for its employees. Bustamante had recently moved from a DWS satellite office and was telecommuting from her home.
Bustamante is charged with one count of computer fraud, two counts of aggravated identity theft and one count of destruction of records. Johnstun is charged with one count of destruction of records. Smith and Chapman are each charged with one count of access device fraud and one county of aggravated identity theft.
The penalty for computer fraud is up to five years in federal prison. Destruction of records carries up to 20 years in prison. Access to device fraud is up to 10 years and aggravated identity theft carries a mandatory-minimum sentence of two years and must be stacked against any other sentence.
"We sincerely regret this breach of security," said DWS Executive Director Kristen Cox in a statement. "Our former employee's alleged misconduct certainly does not represent the long-standing honesty, integrity and dedication of our staff to the well being of each and every one of our customers."
DWS points out that after employing over 2,300 individuals, this is the first instance of identity theft by an employee in the department's history.
Copyright 2016, Deseret News Publishing Company