State Unemployment Systems Battered With Breaches and Identity Fraud
The state of Arkansas shut down their unemployment application website which exposed the PII of nearly 30,000 applicants and Illinois faced a similar issue. Meanwhile, the U.S. Secret Service reports that hundreds of mules are being used to funnel unemployment benefits to an organized fraud ring in Nigeria falsely filing for benefits with stolen identity information.
A computer programmer from Arkansas filed for unemployment on the state’s Pandemic Unemployment Assistance (PUA) website and discovered a vulnerability that exposed the Social Security Number, bank account number, routing number and more personally identifiable information (PII) about each applicant, which was approaching 30,000 individuals. After reporting the vulnerability to state police the website was shut down later that day.
The Arkansas PUA website was communicating applicant provided information to a database but left all data, including SSNs and bank account information, unencrypted. By simply removing a portion of the public-facing website URL, anyone could access the administrative portal which had access to the applicant database.
A similar issue occurred in the state of Illinois, although the issue only impacted contractors and gig workers who applied for unemployment under the state PUA program. An unemployment applicant reported that she inadvertently accessed a spreadsheet including names and PII of thousands of unemployment applicants. This issue was resolved and the website is back up with the exposure vulnerability corrected.
In both the Arkansas and Illinois data exposure cases, it is fortunate that honest people uncovered the issue and reported it to authorities. It does guarantee, however, that less honest people hadn’t uncovered these vulnerabilities first.
These data exposures present risks which manifest themselves in different ways. The exposed data, especially Social Security Numbers, can be used to apply for loans – or even unemployment benefits – in another person’s name.
This is exactly what an organized fraud ring in Nigeria is doing, as reported by security journalist Brian Krebs referencing a U.S. Secret Service memo. The fraud ring has been applying for unemployment benefits targeting several states. Washington state has been the most targeted so far, but there is also evidence of attacks in Florida, Massachusetts, North Carolina, Rhode Island and Wyoming.
The Secret Service memo reports of unemployment benefits being applied for a Washington state resident’s name with benefit payments going to out-of-state bank accounts owned by people with no connection to the provided name of the applicant. It is believed that a large network of money mules, in the hundreds, is receiving and re-sending these payouts abroad.
Washington halted unemployment benefit payouts for two days to investigate after finding over $1.6 million in illegitimate claims.
Interestingly, the Secret Service memo reports that “a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.” This indicates that many of the compromised PII may have come from data breaches impacting state, federal government and municipal agencies, similar to those impacting Arkansas and Illinois’ unemployment websites. Fraudsters are bringing this stolen information full circle, stealing the PII from these agencies than using it to defraud other governmental agencies.
For more information: