A law firm noted for its advocacy on behalf of data breach victims announced it is investigating the breach of America's Job Link Alliance (“AJLA” or “Job Link”) which resulted in the exposure of the personal information of hundreds of thousands of job seekers.
Goldman Scarlato & Penny, P.C.(GSP) issued a statement on March 23 inviting those affected in the multi-state breach to contact a GSP attorney.
The damage, so far
Arkansas - 19,000
Oklahoma - 430,000+
Job Link's website coordinates federal unemployment and workforce development programs and links job seekers with employers. While its network extends to several states, at the moment only those job seekers in the following states have been notified: Arkansas, Idaho, Illinois, Alabama, Arizona, Delaware, Kansas, Maine, Oklahoma and Vermont.
The GSP statement claimed that those who established a Job Link account between March 2013 and March 14, 2017, may have been affected by the data breach.
"The data theft was not an accident," the statement said.
It has been reported that a person, so far unknown, gained access to the system by filling out a "job-seeker account," and then managed to hack his way into the database and view names, Social Security numbers and dates of birth of job applicants in 10 states.
"While AJLA claims that the website vulnerability has been resolved, that does not mean that information already stolen is not at risk," GSP stated.
"This case is an unfortunate reminder that organizations rely on third parties with our information, but have no way to control how that information is protected,” Ebba Blitz, CEO of Alertsec, a laptop encryption company, told SC Media on Friday. “If we look at the consequences for the affected individuals, we clearly see that data security is crucial for a functioning society. Third party protection is a big and growing challenge."
New York has taken a very responsible approach to third-party compliance with the recent adoption of the nation's toughest cybersecurity regulations, Blitz said. "Maine, as well as the rest of the country, will need to review their policies and make improvements as well.”
Notifying victims in an efficient manner is important for every data breach, but communication is especially crucial when it impacts a regulatory body like the Department of Labor – which contracted with AJLA – and its stakeholders, Dana Simberkoff, chief compliance and risk officer at software vendor and manufacturer AvePoint, told SC Media on Friday.
"Though the DoL was confirming the extent of the hacker's access before disclosing the breach, notification to affected individuals was delayed – which could further expose job seekers' personal information to hackers," she said. "Other than the slight delay in breach notification, I'd say the DoL has done its due diligence in investigating the breach and taking the proper actions to resolve the issue.”
To tighten up security, the DoL should reevaluate its controls to make sure its data (and job seekers' data) is controlled, intentional, purposeful and thoughtful rather than something that's easily accessible by hackers, Simberkoff said. "The DoL should also take measures to gain back the trust of individuals affected by this breach. By prioritizing cybersecurity, the DoL can foster a more trusting relationship among all stakeholders.”
UPDATE: In Illinois, the Department of Employment Security confirmed that one of its vendors experienced a data breach. The breach could affect about 1.4 million job seekers.
“The threat of cybercrime is a clear and present danger to the citizens of Illinois and our administration will continue pressing forward with a comprehensive cybersecurity strategy,” said Eleni Demertzis, a spokeswoman for Gov. Bruce Rauner. The governor's office implored Comptroller Susana Mendoza, who they claim is holding up funding for added security, to re-evaluate her decision.
IDES is preparing notices to those affected.
Meanwhile, numbers have been announced for those possibly affected in Vermont. The Vermont Labor Department said as many as 182,000 Vermont accounts may have been exposed as a result of the breach at Job Links. The compromise could impact subscribers who had an account on the Vermont Department of Labor's Job Link website since 2003, the department said.