Losing a job and struggling with finances have added significant stress to those trying to stay safe during the COVID-19 pandemic. It is no secret that for weeks, state departments administering unemployment compensation have been under fire due to massive backlogs of unprocessed claims. Adding to claimants’ frustrations are a number of security incidents affecting several states’ agencies. We previously reported that the Small Business Administration experienced a breach compromising personal data for thousands of applications for financial assistance. Now we are seeing state level entities experiencing security compromises.
Pandemic Unemployment Assistance (PUA) is unemployment compensation available to self-employed and “gig” workers. In the past several weeks, thousands of workers in several states who applied for PUA received notice that their personal information was possibly exposed to other users. The personal information exposed included social security numbers, addresses, names, and the amount workers were receiving in benefits. Fortunately, at least at this time, there is no evidence personal information was misused and the alerts from the states were preventative.
- Ohio. According to Ohio’s Department of Job and Family Services (ODJFS), 24 people had access to other users’ information. In Ohio, Deloitte Consulting is under contract with ODJFS to develop the system to administer the PUA program. ODJFS stated Deloitte fixed the issue within one hour of the unauthorized access being identified. ODJFS contacted the individuals who had accidental access to the system data. The state told applicants that Deloitte would offer free Experian Identity Works protection services for the next 12 months.
- Illinois. After a significant delay, the Illinois’ PUA system launched last week, and 50,000 PUA claims have since been processed. A preliminary analysis performed by the Illinois Department of Employee Security (IDES) found at least one claimant was able to inadvertently access other users’ information, but the results of a full-scale investigation are pending. IDES intends to explore further remediation with Deloitte Consulting upon completion of the investigation.
- Colorado. Six claimants reportedly accessed other users’ applications from May 2, 2020, through May 15, 2020. The 72,000 people in the state’s PUA system were reportedly offered 12 months of free credit monitoring.
- Florida. The Florida Department of Economic Opportunity announced 98 claimants were affected by a “data security incident.” The state also offered identity protection services at no charge to affected individuals. The agency discovered the breach within one hour and has not received any reports of malicious activity related to the breach.
- Arkansas. On May 16, 2020, Arkansas announced it was shutting down its gig worker unemployment program after it apparently was accessed illegally.
- Washington. This past month a fraud ring attacked Washington State’s unemployment system, which had to shut down all unemployment payments for a two-day period.
- New York. In April, New York’s unemployment insurance system accidentally leaked personal information.
Such news is hardly uncommon. We have already written on the ways mistakes and the actions of bad actors are affecting the security of personal data. However, this news is particularly painful and tragic as we see individuals already struggling with the hardships of unemployment now having to deal with the added stress and steps required to protect their personal data against misuse.
Times of crisis understandably distract us from the things that routinely keep us safe and operational. Consumers and businesses, alike, need to remain vigilant when it comes to safeguarding personal information, now more than ever. Consumers should take charge of their personal data, whenever possible. Consumers should regularly review accounts for any irregular activity and report such activity immediately. Credit accounts should be frozen to protect against unauthorized access. The process is simple and inexpensive, and often free.
Businesses should regularly audit system activity for irregular activity and take steps to actively upgrade and improve security, especially as new threats emerge. Companies should exercise diligence any time they update company systems with new software to ensure such software does not introduce security vulnerabilities. The bad guys are looking for just one door to be opened, even momentarily. Again, when companies are faced with keeping the lights on and employees employed, it can be understandable that data privacy and security might take a back seat. However, as we have found out, failing to keep privacy and security in focus can only make tough times even worse.