When the state suddenly ended its longstanding practice of sending paper checks for tax refunds nearly two years ago, some taxpayers criticized the decision to provide refunds on debit cards.
Now, the state is scrambling as some data on those tax-refund cards may have been exposed to potential identity theft.
State Treasurer Denise Nappier announced Thursday that the personal information on some prepaid debit cards may have been exposed during an attack on the computer servers of JP Morgan Chase, the international banking giant that oversees the debit card program for Connecticut.
Senate Republican leader John McKinney of Fairfield had raised concerns last year when his constituents complained about the switchover on tax refunds, saying the decision had been made unilaterally without prior notification to the state legislature.
When told Thursday about the security breach, McKinney said, “You gotta be kidding me!’’
McKinney, who is running for the Republican nomination for governor, immediately called for a public hearing to obtain a full explanation on the details of the breach. He had sought a similar hearing nearly two years ago to answer questions about security and why Chase was chosen for the job. The Democratic-controlled legislature, however, rejected the idea of a hearing and said the switch was a decision by Gov. Dannel P. Malloy’s administration.
“We were told this was a perfect solution,’’ McKinney said in an interview Thursday. “We were told this was foolproof and secure, and obviously the administration was wrong.’’
State tax commissioner Kevin B. Sullivan, a former lawmaker who had served in the state Senate with McKinney for nearly six years, started laughing upon hearing that McKinney was calling for a new hearing.
“Senator McKinney wants to have a hearing on everything, and I appreciate that his gubernatorial campaign needs’’ publicity, Sullivan said. “His response to everything is to have a hearing.’’
Sullivan said that no hearing is necessary and that state officials are working with the bank to resolve the issue.
The computer breach covers multiple states, and 14,335 accounts were exposed in Connecticut, Nappier said. Nearly 7,000 of those accounts involved taxpayers seeking refunds, while the remainder covered items like unemployment benefits and child-support payments that are now issued on debit cards. Those included more than 4,400 accounts at the state Department of Social Services, nearly 3,000 accounts at the Department of Labor, and seven at the Department of Children and Families.
The cardholders have not yet been notified, but the bank has agreed to provide two years of free credit monitoring in order to avoid problems with identity theft, officials said. The information that could have been exposed includes Social Security numbers, bank account numbers, passwords, home addresses, telephone numbers, and e-mail addresses. Those receiving refunds via direct deposit were not involved in the breach.
The tax-refund debit cards have been available for two years – after the April 15 deadlines in 2012 and 2013.