Arkansas and Illinois both reportedly exposed sensitive citizen data after failing to adequately secure web services that the states urgently propped up in order to process applications for the federal Pandemic Unemployment Assistance program.
Experts say the hurried pace of setting up these digital services could very well have resulted in glitches and overlooked gaps in security.
"While it's unfortunate, it also should have been expected that in the urgency to rollout out Pandemic Unemployment Assistance to millions of people overnight, there would be inadvertent vulnerabilities," said Mark Weatherford, chief strategy officer at the National Cybersecurity Center and and a former CISO for the states of California and Colorado. "The lack of appropriate software development due diligence is almost always the first casualty in an emergency situation.
"Unfortunately, in this case, citizen PII was potentially compromised and now these states will spend hundreds of thousands of dollars in forensics investigations to identify the extent of, and remediate, the damage."
According to the Arkansas Times, the Arkansas PUA website leak was discovered by a unemployment applicant with a computer programming background, who realized he was able to access the site's administrative portal by removing part of site's URL. The programmer went on to observe that the site was using an unencrypted API to connect with a database.
The exposed portal, which was launched on May 5, reportedly held roughly 30,000 applications, which included such data as Social Security numbers and bank account and routing numbers.
The Arkansas Times noted that the programmer initially had difficulty actively reaching someone within the state government to report the problem, but shortly after the news organization contacted the Division of Workforce Services, the site was taken down for maintenance last Friday afternoon.
"One of the continuing problems across all government organizations – federal, state, and local – is: 'Who do you call' for a cyber-related incident?'" said Weatherford. "Making a 1-800 number available 24/7/365 to a computer emergency response team so citizens can report incidents when they occur should be a fundamental requirement of government."
Zoë Calkins, communications director with the Arkansas Division of Workforce Services, reportedly provided a statement, which read in part: "As soon as we learned of this incident, we immediately took our systems offline to deny outside access to the network. We have engaged independent computer forensic experts to conduct an investigation and determine how this occurred and what, if any, data is at risk. We are committed to completing a full forensic review and will take all appropriate action in response to our findings."
"We want to make sure that the system is in good shape before it goes back online," said Arkansas Governor Asa Hutchinson (R), reportedly.
Meanwhile, the Illinois Department of Employment Security (IDES) and the office of Governor J.B. Pritzker (D) reportedly acknowledged that the state's brand-new system for processing online unemployment, which went live on Monday, temporarily leaked certain private citizen information.
WBEZ reported the data leak after the local news affiliate received a screenshot from IDES website, which displayed names, Social Security numbers and other data belonging to claimants.
Pritzker spokeswoman Jordan Abudayyeh reportedly said in a statement that IDES is "aware there was a glitch in the new PUA system that made some private information publicly available for a short time and worked to immediately remedy the situation." Moreover, "A full investigation is underway to assess exactly what happened and how many people were impacted. Those who were impacted will be notified."
In a press release and open letter, State Representative Terri Bryant (R-Murphysboro) said the leak was first brought to her attention last Friday by a constituent, and called on the governor's office to share additional details on the leak, which apparently was fixed shortly after IDES was alerted of the issue.
"Through a series of just two clicks, this constituent stumbled upon the personal information of thousands of unemployment applicants on the IDES website," said Bryant. "This came up in a spreadsheet with thousands of names containing sensitive information. The information she was able to access included the name, address, social security number and unemployment claimant ID number of thousands of people."
SC Media reached out to the governor's offices in both Arkansas and Illinois for additional comment and clarification on what caused the issues.
The incidents are vaguely reminiscent of the early controversy surrounding the ObamaCare website HealthCare.gov, which, despite meeting its projected launch date of October 1, 2013, was found to be slow, glitchy and a potential data security risk. Costs later escalated as the federal government brought in consulting and contracting services to assess and fix the issue.
"A few months ago, state governments had to quickly launch COVID-related websites in order to get information regarding the pandemic and shelter-in-place orders to their constituents. Sometimes, rushing can lead to cybersecurity vulnerabilities, but without insider insights, it's hard to say exactly what went wrong in these situations," said Neill Feather, chief innovation officer at SiteLock. "Even with ample time to create, there is no guarantee that vulnerabilities will not appear after launch."
SiteLock's own internal data indicates that websites experience an average of 94 attacks per day -- up 52 percent from last year. "With double the attacks to defend against, it is increasingly difficult for IT professionals to protect sites from vulnerabilities, especially when working under this time pressure," added Feather, who warned that cybercriminals will surely be tempted to exploit these state-run sites as they see increased traffic.
Should such incursions happen, "it is extremely important for states to identify the nature of these attacks, and what may have introduced the weaknesses that they were able to take advantage of, so they can react and ensure visitor safety," Feather said.
Feather recommended that state governments conduct regular cyber hygiene scans, quickly identify and patch vulnerabilities, and introduce two-factor authentication.