At least four states are warning applicants regarding an unemployment data breach that may have exposed their personal information after applying for benefits due to the Corona virus.
The breaches come from two incidents in states that hired contractors to implement the Pandemic Unemployment Assistance program, a version of unemployment insurance for Americans who don’t qualify for conventional unemployment benefits.
Together, they bring to light that rushing to implement systems and websites led to exposing tens of thousands of applicants to potential identity theft.
The first incident occurred in Arkansas, which launched its PUA website on May 5th. After a week and a half in operation, it was forced to temporarily take the website down and notify approximately 33,000 initial applicants of the incident and that they had exposed their personal information.
Steps were taken after a programmer trying to file for unemployment noticed a vulnerability that exposed the Social Security numbers and banking information of the people who had applied for benefits under the program.
A contract acquired by KATV-TV of Little Rock showed that the state had paid a local company, $3 million to create its PUA website in a span of three weeks.
It isn’t necessarily that these types of systems are especially vulnerable to data breaches. It’s that almost every kind of system, which is implemented on a minimal budget, worked by contractors who bid the lowest and not put through the rigorous testing required when dealing with people’s personal information.
The next incident occurred in Colorado, Illinois and Ohio which all hired the international consulting company Deloitte to build their PUA websites which all launched at the same time. These states have since alerted applicants of a potential unemployment data breach.
In a video posted by Illinois state Rep. Terri Bryant on Facebook, he says that a constituent tried to register for PUA benefits happened across multiple peoples’ names, full Social Security numbers, addresses, along with physical addresses and correspondence with the state Employment Security Department.
The states said Deloitte told each of them about a bug that gave some applicants access to other people’s personal information and said it fixed the issue within an hour. In Ohio that about two dozen of its residents were given such access, in Colorado there were about six people affected.
