The state is demanding several things from the company that runs the RI.gov Web site, including notification of all card holders whose information was stolen.

01:17 AM EST on Saturday, January 28, 2006

BY PAUL EDWARD PARKER
Journal Staff Writer

Computer hackers stole 4,118 credit-card numbers when they broke into the state's Web site last month, Governor Carcieri said yesterday, providing the first indication of the scope of the theft.

Meanwhile, a Boston law firm hired by the state yesterday sent a strongly worded letter to New England Interactive, the private company that operates the state Web site, www.RI.gov .

"New England Interactive so far has provided incomplete and conflicting responses to the state's efforts to obtain accurate information regarding the size, nature and reason of any such breach," the two-page letter says. "This is unacceptable, and has unnecessarily led to confusion and concern among the users of the RI.gov Web site."

Credit-card information should have been stored securely while it was needed, then destroyed, the letter says. "New England Interactive apparently has failed to meet these basic requirements and breached the trust placed in it by the state and citizens of Rhode Island."

The letter sets eight conditions that New England Interactive must meet at its own expense.

Carcieri said in an interview that the state is reviewing its contract with the company. "That contract was put in place for that service provider before I got here," he said. "But I want to know: have we got the best service provider out there? I want to have the best site that we can get, that's most secure, so people will feel comfortable using it."

Also yesterday, a spokesman for New England Interactive's parent company accepted blame for the security breach. "It was an error on behalf of NEI. It was our fault," said Chris D. Neff, vice president of marketing for NIC, a company based in Kansas. NIC, through subsidiaries such as New England Interactive, operates Web sites or portions of them for 18 states.

NIC's subsidiaries make money primarily in two ways: as agents of the state, selling individual driver's records to resellers, such as ChoicePoint, who provide them to the insurance industry. When a record is sold, the state gets most of the money, but NIC keeps some of it. NIC also makes money from people conducting business on a state Web site. As an example, if it costs $10 to renew a fishing license in person, it might cost $11 for the convenience of doing it online. The state would still get its $10, and NIC would get $1.

In Rhode Island, New England Interactive is not paid by the state to run the Web site.

Neff said procedures that make it nearly impossible to decipher credit-card numbers stored at the state's Web site had not been properly used at RI.gov. He said the problem did not affect other states' Web sites. "The error that caused the security breach was unique to Rhode Island."

Neff urged anyone who has done business with a credit card at RI.gov to call their credit-card company and ask to have their account monitored for fraud.

THE BREACH first surfaced on a Russian-language Web site two weeks ago. The hackers detailed how they broke into the site and accessed credit-card information.

Among the eight conditions the state imposed on New England Interactive was the suspension of credit-card transactions at RI.gov as of 9:30 a.m. yesterday.

Last year, 50,569 vehicle registrations were renewed online. Because the Division of Motor Vehicles does not accept renewals in person, those transactions will have to be handled by mail until the online suspension is lifted.

Jeff Neal, a spokesman for Carcieri, said the state couldn't predict when the suspension would be lifted.

Four of the eight conditions involve people whose credit-card numbers may have been stolen. The state wants the company to identify all people whose information may have been compromised, to notify them in writing immediately, to establish a way for people to call or e-mail to check whether their information was compromised, and to provide credit-card replacements, credit monitoring and credit rehabilitation for people who were affected.

Neal said the company would contact the 4,118 people whose credit-card numbers were stolen, not the roughly 53,000 people whose records the hackers claimed were in the database they broke into.

The state is also demanding that New England Interactive hire an outside security consultant to determine whether they have fixed all the problems with RI.gov.

"They claim it's been fixed. We want to make sure," said Carcieri. "They've shut the system down. We're bringing in some other expertise to make sure it is secure before we bring it back up."

The FBI, the Secret Service, the U.S. Attorney's office and the state police will all review the incident to determine whether investigations are warranted.

New information about how and when the state was notified about the breach emerged yesterday.

Hackers attacked the site Dec. 28 from about 6 a.m. to 1 p.m., according to a report from New England Interactive. The next day, the company reported to the head of the state's computer operations that eight credit-card records had been compromised. Because the breach appeared small and steps had been taken to prevent its recurrence , it was not reported to the state's administration director or to the governor's office.

At that time, according to Neff, the company contacted the Secret Service and credit-card companies about the eight compromised accounts.

Further investigation by the company revealed that the problem was larger, Neff said. He said the company was still in the process of notifying credit-card companies about the additional compromised cards.

It was not until just after noon Thursday that the state was notified that the problem was larger, according to Neal.

Journal staff writers W. Zachary Malinowski and Scott Mayerowitz contributed to this report.

pparker@projo.com / (401) 277-7360

Services suspended

Eleven services at RI.gov are temporarily off-line.

Fishing license renewal

Boat license renewal

Vehicle registration renewal

Driver records

Business tax payment

Quarterly wage tax payment

Agricultural-product permit renewal

Student loan payment

New business registration

University of Rhode Island RAM account deposits and dining-plan changes.

Right-to-Know form filing (for disclosing workplace hazardous substances)