Firm seeks FBI’s help with virus

Northwest Arkansas Democrat-Gazette - - NORTHWEST ARKANSAS - ERIC BESSON

The Kansas-based con­trac­tor that found a ma­li­cious virus in its dig­i­tal sys­tem for job seek­ers in Arkansas and at least two other states has re­quested FBI as­sis­tance with the in­ves­ti­ga­tion, a state gov­ern­ment of­fi­cial said Mon­day.

More than a week after un­usual ac­tiv­ity was first de­tected, of­fi­cials still don’t know whether an es­ti­mated 19,000 Arkansas job seek­ers’ names, birth dates, Social Se­cu­rity num­bers and other data were ex­tracted from the com­pro­mised statewide data­base, Arkansas Depart­ment of Work­force Ser­vices spokesman Steve Gun­tharp said.

The breach af­fected at least two other pre­vi­ously un­re­ported states — Idaho and Illi­nois, Gun­tharp said, re­lay­ing in­for­ma­tion that he said the con­trac­tor, Amer­ica’s Job Link Al­liance, pro­vided to the agency.

Gun­tharp said he does not know how many peo­ple would be ex­posed in those states. Of­fi­cials from Idaho and Illi­nois ei­ther didn’t re­turn a re­porter’s mes­sages or de­clined to com­ment.

The con­trac­tor, which hosts and ad­min­is­ters Arkansas JobLink and sim­i­lar ser­vices in nine other states, has not is­sued a pub­lic state­ment. Its di­rec­tor said Mon­day af­ter­noon by email that a state­ment would be re­leased “soon” but not be­fore to­day.

Amer­ica’s Job Link Al­liance has been in con­tact with Work­force Ser­vices about the breach since Wed­nes­day, but state of­fi­cials are be­com­ing frus­trated with the lack of de­fin­i­tive an­swers, Gun­tharp said.

“It’s been dif­fi­cult to get an­swers out of them lately,” Gun­tharp said. “We’re start­ing to grow im­pa­tient.”

The com­pany’s con­tract with Arkansas is worth more than $400,000 this year. Fed­eral money is used to pay for the Web ser­vice, which aims to con­nect job seek­ers with prospec­tive em­ploy­ers.

Gun­tharp con­firmed on March 16 that a ma­li­cious virus was de­tected in the statewide data­base after the Arkansas Demo­crat-Gazette learned of the breach from an anony­mous tip sub­mit­ted by email.

The virus was a com­puter pro­gram writ­ten to “gather in­for­ma­tion” from the sys­tem, rather than to dis­able or dam­age it, but it’s not yet clear whether the virus was able to ex­tract in­for­ma­tion be­fore it was de­tected, Gun­tharp said.

Work­force Ser­vices also does not yet know whether the virus was the prod­uct of an in­ten­tional hack of the sys­tem or was ac­ci­den­tally up­loaded by an un­know­ing user with an in­fected com­puter, Gun­tharp said.

Amer­ica’s Job Link Al­liance has con­tacted the FBI for help, Gun­tharp said, adding he’s not sure whether fed­eral agents de­cided to take part in the in­ves­ti­ga­tion.

“We do not have any in­for­ma­tion for you at this time,” an em­ployee of the FBI’s Na­tional Press Of­fice said Mon­day.

Arkansas JobLink con­tains data for ev­ery­one who has used the ser­vice since it was es­tab­lished in 2001. The sys­tem re­tains users’ per­sonal in­for­ma­tion in­def­i­nitely even though it de­ac­ti­vates their ac­counts after 90 days of no use.

Work­force Ser­vices, which learned of the breach March 15, will not for­mally alert peo­ple who used JobLink of the se­cu­rity lapse

un­less it’s de­ter­mined that per­sonal data was stolen be­cause state law does not re­quire them to is­sue no­ti­fi­ca­tion un­less that thresh­old is met, Gun­tharp said.

Arkansas Code An­no­tated 4-110-105 re­quires dis­clo­sure of sys­tem se­cu­rity breaches to “any res­i­dent of Arkansas whose un­en­crypted per­sonal in­for­ma­tion was, or is rea­son­ably be­lieved to have been, ac­quired by an unau­tho­rized per­son.”

The law al­lows state agen­cies or busi­nesses to de­lay no­ti­fi­ca­tion if it’s de­ter­mined that dis­clo­sure would harm an ongoing crim­i­nal in­ves­ti­ga­tion.

No­ti­fi­ca­tion let­ters were writ­ten and ready to be mailed over the week­end, but the agency has held off, Gun­tharp said.

“We have held off be­cause we’re try­ing to get clar­ity on A, if there was an exit [of in­for­ma­tion], and B, if there is a [crim­i­nal] in­ves­ti­ga­tion ongoing, are we go­ing to in­ter­fere with that in­ves­ti­ga­tion by re­leas­ing that let­ter?” Gun­tharp said.

Blake Townsend, a cer­ti­fied eth­i­cal hacker and cy­ber­se­cu­rity re­searcher for the Lit­tle Rock com­pany PC As­sis­tance, said of­fi­cials should know by now whether in­for­ma­tion was stolen, un­less logs that track how data move were in­ad­e­quate or deleted by the virus.

“Un­der the right setup, they should ab­so­lutely know if data had been [re­moved],” Townsend said. “With the right soft­ware in place, the right pro­tec­tions in place, they should know.”

Eth­i­cal hack­ers are tasked with search­ing for weak­nesses and vul­ner­a­bil­i­ties

in sys­tems ad­min­is­tered by peo­ple who em­ploy them. Townsend is not af­fil­i­ated with Arkansas JobLink or Amer­ica’s Job Link Al­liance.

Mes­sages left with Idaho Depart­ment of La­bor spokes­men were not re­turned.

“We are still in­ves­ti­gat­ing and can’t com­ment at this time,” said Bar­ton Lo­ri­mor, an Illi­nois Depart­ment of Em­ploy­ment Se­cu­rity spokesman.

It doesn’t ap­pear the breach has been pub­licly re­ported in ei­ther state. State laws vary about when agen­cies or busi­nesses must alert the pub­lic about in­for­ma­tion-se­cu­rity lapses.

Aside from Arkansas, Idaho and Illi­nois, the con­trac­tor hosts job-con­nec­tion ser­vices for seven other states: Alabama, Ari­zona, Delaware, Kansas, Maine, Ok­la­homa and Ver­mont. Voice­mails left Mon­day with me­dia of­fices for ap­pro­pri­ate agen­cies in each of those states were not re­turned.

Amer­ica’s Job Link Al­liance holds a $440,000 an­nual con­tract to man­age Arkansas JobLink, ac­cord­ing to a copy ob­tained by the Demo­crat-Gazette. The con­trac­tor must per­form se­cu­rity main­te­nance up­grades and build com­plete back­ups of Arkansas JobLink data, the con­tract says.

The con­tract, which runs from Dec. 1, 2016 to Nov. 30, 2017, says the com­pany must in­form Work­force Ser­vices of any se­cu­rity breaches within 30 min­utes of them oc­cur­ring.

The firm’s di­rec­tor, Chris­tine Bo­han­non, said Mon­day af­ter­noon that the com­pany would “soon” re­lease

a state­ment.

An email signed by Bo­han­non and sent on March 15 to Work­force Ser­vices of­fi­cials says er­rors were de­tected in at least three un­spec­i­fied state sys­tems, start­ing March 13. After re­view­ing data­base logs, the con­trac­tor de­ter­mined that some­one was at­tempt­ing to ac­cess “de­mo­graph­ics pages” mid­day March 14, Bo­han­non wrote.

“We iso­lated the root cause and im­ple­mented a fix,” Bo­han­non wrote in the email, ob­tained by the Demo­crat-Gazette.

Townsend, the eth­i­cal hacker, said the early in­for­ma­tion re­leased in­di­cates to him that some­one in­ten­tion­ally hacked the sys­tem.

The al­ter­na­tive pos­si­bil­ity — that some­one used the sys­tem with­out know­ing their com­puter was in­fected by the virus and thus ac­ci­den­tally in­serted it — is im­prob­a­ble in part be­cause of the so­phis­ti­ca­tion re­quired to tar­get a spe­cific sys­tem, Townsend said.

If some­one ob­tained the data on Arkansans, the per­son could prob­a­bly fetch about $46,000 by sell­ing it through an on­line black mar­ket, Townsend es­ti­mated. Names, birth dates and Social Se­cu­rity num­bers hold value for thieves, even if the quan­tity, 19,000, is a rel­a­tively “tiny” num­ber, Townsend said.

An es­ti­mated 1.3 mil­lion records have been ex­posed through 312 breaches so far in 2017, ac­cord­ing to the non­profit Iden­tity Theft Re­source Cen­ter. Of those breaches, 19 were of gov­ern­ment or mil­i­tary in­for­ma­tion.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.