Kentucky has become the sixth state to disclose a data leak related to unemployment-related forms that has taken place during the Covid-19 pandemic.
The Kentucky Education & Workforce Development Cabinet (EWDC) on Thursday acknowledged that a vulnerability in its Unemployment Insurance Portal caused a data leak that allowed insurance claimants to view the identity verification documents of other claimants.
According to a Cabinet press release, the incident took place on Apr. 23, 2020 at 9:17 a.m.. The Cabinet says its Office of Technology Services (OTS), together with the Kentucky Commonwealth Office of Technology, took the portal offline by 11:30 a.m., made system changes by noon and permanently patched the software by midnight.
Although it is unknown how many claims were exposed, Kentucky officials say the risk is low and there have been no reports of identity theft or financial crimes resulting from this incident.
The press release does not indicate if the affected portal was set up or modified specifically for the Pandemic Unemployment Assistance (PUA) program that was set up under the federal CARES Act in response to the Covid-19 crisis.
However, prior to Kentucky's announcement, Arkansas, Illinois, Colorado, Ohio and Florida had all separately disclosed the accidental exposure of information belonging to citizens who applied to the PUA program. In all cases, the states said a very limited number of people inadvertently gained access to others' information.
The Ohio Department of Jobs and Family Services on May 21 reportedly [1, 2, 3] acknowledged a "data issue" that exposed names, Social Security numbers and street addresses to roughly two dozen individuals. The problem was discovered by Deloitte Consulting, which has been assisting the ODJFS in the administration of the PUA program.
The Colorado Department of Labor and Employment reportedly [1, 2] said that on May 16, it learned that six people were accidentally granted "intermittent access to 'admin' screens." As a result, the state's PUA claimants are now eligible for a year of free credit monitoring.
Deloitte, which reportedly has been partnering with Colorado as well, fixed the issue within an hour of it being identified, the department said.
And on May 21, the Florida Department of Economic Opportunity reportedly [1, 2] disclosed a data incident that affected 98 individuals. "This issue was addressed within one hour after we became aware of the incident," the statement reads. The department said although it has not received any reports of malicious activity, "we are making available identity protection services at no charge to affected individuals, and we have also advised them to report any unauthorized activity on their financial accounts."
Arkansas and Illinois were the first two states to disclose data leaks through their PUA web-based services. Experts have told SC Media that such mistakes are likely the results of states hastily propping of websites, portals and services to manage a heavy influx of PUA requests. Illinois reportedly also used Deloitte as a partner to set up online PUA capabilities -- a common thread between the Illinois, Ohio and Colorado disclosures.