A multi-state database was hacked, potentially revealing names, dates of birth and Social Security numbers of hundreds of thousands of job seekers across 10 states...so far.
The site, America's Job Link Alliance (AJLA), is offered by the Department of Labor (DOL) and is managed by a third party. Kansas-based AJLA is used to coordinate federal unemployment and workforce development programs. Reports are still coming in but currently 10 states have been impacted: Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont.
AJLA–TS is developed and maintained by America's Job Link Alliance–Technical Support (AJLA–TS), which has been in business for nearly 50 years.
A hacker created a job seeker account in an America's JobLink (AJL) system on February 20, an AJLA statement explained. "The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers." Upon discovery, technical personnel were deployed to disable the hacker's access and, the firm has verified, the flaw was remediated.
"AJLA–TS is working diligently with law enforcement officials to identify and apprehend the perpetrator," the statement said. As well, an independent forensic firm is investigating.
The sending out of notices to affected individuals was delayed owing, the AJLA said, to confirming the extent of the hacker's access and to law enforcement's investigation.
"It was important that AJLA–TS identify the misconfiguration and eliminate it from the system," the statement said. "The forensic firm's analysis required the review of a significant amount of system data. This analysis was needed to confirm that the hacker had actually accessed individuals' information, so as not to unnecessarily alarm affected individuals. Finally, it was critically important that any announcement not interfere with law enforcement's investigation."
"Since this is a job link site, it's possible that a hacker sent an employee a résumé with a malicious exploit inside, which is how he likely got ahold of one of the employees within the organization," Itay Glick, CEO of Votiro, told SCMedia on Thursday.
“Anytime people's personal information gets out there, it's reason for alarm,” Delaware Department of Labor Secretary Patrice Gilliam Johnson, was reported saying by Delaware Online. “But at this time, it's hard for us to quantify. We're still trying to get to the facts, trying to figure out what this will mean in the long run.”
"We don't know still how much data was breached at this point time. We're still trying to gather information," Gov. Phil Scott, R-Vermont, was reported saying by news site WCAX.
No evidence has yet surfaced that the information has been misused, AJLA claimed. However, the firm advised those affected to "remain vigilant" in keeping tabs on their financial statements and recommended monitoring credit reports with the major credit reporting agencies.
AJLA-TS is reportedly establishing a call center that is expected to be operational within a few days.