When Connecticut suddenly ended its longstanding practice of sending paper checks for tax refunds nearly two years ago, some taxpayers criticized the decision to provide refunds via debit cards.
Now, the state is scrambling as some data on those tax-refund cards may have been exposed to potential identity theft.
State Treasurer Denise Nappier announced Thursday that the personal information on some prepaid debit cards was exposed during an attack on the computer servers of JP Morgan Chase, the international banking giant that oversees the debit card program for Connecticut.
The computer breach covers multiple states, and 14,335 accounts were exposed in Connecticut, Nappier said. Nearly 7,000 of those accounts involved taxpayers seeking refunds, and the remainder covered items like unemployment benefits and child-support payments that are now issued on debit cards. Those included more than 4,400 accounts at the state Department of Social Services, nearly 3,000 accounts at the Department of Labor, and seven at the Department of Children and Families.
The cardholders have not yet been notified, but the bank has agreed to provide them with two years of free credit monitoring to avoid problems with identity theft, officials said. The information that was exposed, but might not have been seized, includes Social Security numbers, bank account numbers, passwords, home addresses, telephone numbers and email addresses.
Last year Senate Republican leader John McKinney of Fairfield raised concerns when his constituents complained about the switchover on tax refunds, saying the decision had been made unilaterally without notifying the state legislature beforehand.
When told Thursday about the security breach, McKinney said, "You gotta be kidding me!"
McKinney, who is running for the Republican nomination for governor, immediately called for a public hearing to obtain a full explanation of the details of the breach. He had sought a similar hearing nearly two years ago to answer questions about security and why JP Morgan Chase was chosen for the job. The Democratic-controlled legislature, however, rejected the idea of a hearing and said the switch was a decision by Gov. Dannel P. Malloy's administration.
"We were told this was a perfect solution," McKinney said in an interview Thursday. "We were told this was foolproof and secure, and obviously the administration was wrong."
State tax Commissioner Kevin B. Sullivan, a former lawmaker who served in the state Senate with McKinney for nearly six years, started laughing when he heard that McKinney was calling for a new hearing.
"Sen. McKinney wants to have a hearing on everything, and I appreciate that his gubernatorial campaign needs" publicity, Sullivan said. "His response to everything is to have a hearing."
Sullivan said that no hearing is necessary and that state officials are working with the bank to resolve the issue.
The tax-refund breach covered only about 2 percent of the 360,000 debit cards that have been issued by the tax department, he said. And those whose information was exposed in that breach would be affected only under certain circumstances.
First, the taxpayer must have been using the card during an eight-week period between mid-July and mid-September, which was the time of the cyber breach that hacked into the bank's computers. No one has been charged in the cyberattack, and the FBI is investigating. Based on the time period of the attack, a taxpayer who received a refund shortly after the April 15 tax deadline and spent the entire amount on the card in April, May or June would not be affected, Sullivan said.
Second, the person must have activated the debit card by using a computer to access a specific JP Morgan Chase bank website, between mid-July and mid-September.
"Not everyone goes on the website," Sullivan said. "Some people activate by phone, which is how I did mine. ... If you took that card immediately last April and deposited it in your bank, this is not about you."
Both Nappier and Sullivan said they were shocked that the state was not immediately notified of the security breach by Chase, as required under the bank's contract with the state.
"I am dismayed that JP Morgan Chase delayed informing my office of this security breach for two and a half months -- from mid-September, when they first learned of it, until this week," Nappier said in a statement. "They should have picked up the phone immediately and called us. That the company failed to communicate this security breach in a timely manner raises concerns over its culture of compliance and broader governance issues."
After learning Tuesday about the hacking, Nappier said, her office immediately told officials in all of the state departments that were involved.
Nappier added: "At the end of the day, JP Morgan Chase has some work to do not only to assure the holders of its debit cards, but also to restore the state's confidence in the company's ability to remain worthy of our continued business. I have no tolerance for anything less than quality customer service, and I expect the management of JP Morgan Chase to direct their full attention to remediating this problem."
Deputy State Treasurer Christine Shaw said the bank initially offered one year of credit monitoring, but the state pushed successfully for two years.
"JP Morgan Chase's response to the security breach has been disappointing," Shaw said in an interview, adding that the contract called for swift notification. "The bank has represented to us that there has been no suspicious activity with these 14,000 accounts" during the eight-week period when information could have been viewed.
Bank officials could not be reached for comment Thursday.
Two years ago, Nappier said that nine banks showed interest in operating the debit card program when it was first discussed. Two banks eventually submitted proposals, and JP Morgan was chosen as the winner in a partnership with People's United Bank of Bridgeport. The contract, at the time, was designed to cost the state $25,000 per year and in turn would generate an estimated $290,000 in annual savings in bank fees and administrative costs, according to Nappier.
The state has multiple contracts with the bank, including one that paid $138,000 in fees during the 2013 fiscal year for direct deposit and debit card services at the state tax and labor departments, according to state records.
Before the switch at the tax department, unemployment checks already had been moved to debit cards and direct deposit, which Nappier said saves the state about $4 million annually.
The state tax department has been involved in security breaches in the past, including the high-profile loss of a department laptop on Long Island in August 2007 that has not been found. The Social Security numbers of more than 106,000 citizens were lost, and the attorney general's office issued a 37-page report that said that the tax department acted in a "cavalier and careless fashion" in handling confidential information.
The Long Island laptop turned into the million-dollar laptop as the state spent more than that amount in responding with identity-theft protection measures and moves to prevent miscues.
The tax department, Sullivan said, has made many improvements since the days of the Long Island laptop.
"The department was not very proactive at the time," said Sullivan, who was among the 106,000 taxpayers whose personal information was on the laptop. "That's not our practice here. ... The department did a horrible job. It never gets better when you don't tell. The department's attitude in those days was: Maybe it would just go away."
Sullivan added, "I suspect that laptop has long ago been dumped somewhere. I'm sure it's in a landfill somewhere."
(c) 2013 The Hartford Courant (Hartford, Conn.)