Northwest Arkansas Democrat-Gazette
Firm seeks FBI’s help with virus
The Kansas-based contractor that found a malicious virus in its digital system for job seekers in Arkansas and at least two other states has requested FBI assistance with the investigation, a state government official said Monday.
More than a week after unusual activity was first detected, officials still don’t know whether an estimated 19,000 Arkansas job seekers’ names, birth dates, Social Security numbers and other data were extracted from the compromised statewide database, Arkansas Department of Workforce Services spokesman Steve Guntharp said.
The breach affected at least two other previously unreported states — Idaho and Illinois, Guntharp said, relaying information that he said the contractor, America’s Job Link Alliance, provided to the agency.
Guntharp said he does not know how many people would be exposed in those states. Officials from Idaho and Illinois either didn’t return a reporter’s messages or declined to comment.
The contractor, which hosts and administers Arkansas JobLink and similar services in nine other states, has not issued a public statement. Its director said Monday afternoon by email that a statement would be released “soon” but not before today.
America’s Job Link Alliance has been in contact with Workforce Services about the breach since Wednesday, but state officials are becoming frustrated with the lack of definitive answers, Guntharp said.
“It’s been difficult to get answers out of them lately,” Guntharp said. “We’re starting to grow impatient.”
The company’s contract with Arkansas is worth more than $400,000 this year. Federal money is used to pay for the Web service, which aims to connect job seekers with prospective employers.
Guntharp confirmed on March 16 that a malicious virus was detected in the statewide database after the Arkansas Democrat-Gazette learned of the breach from an anonymous tip submitted by email.
The virus was a computer program written to “gather information” from the system, rather than to disable or damage it, but it’s not yet clear whether the virus was able to extract information before it was detected, Guntharp said.
Workforce Services also does not yet know whether the virus was the product of an intentional hack of the system or was accidentally uploaded by an unknowing user with an infected computer, Guntharp said.
America’s Job Link Alliance has contacted the FBI for help, Guntharp said, adding he’s not sure whether federal agents decided to take part in the investigation.
“We do not have any information for you at this time,” an employee of the FBI’s National Press Office said Monday.
Arkansas JobLink contains data for everyone who has used the service since it was established in 2001. The system retains users’ personal information indefinitely even though it deactivates their accounts after 90 days of no use.
Workforce Services, which learned of the breach March 15, will not formally alert people who used JobLink of the security lapse
unless it’s determined that personal data was stolen because state law does not require them to issue notification unless that threshold is met, Guntharp said.
Arkansas Code Annotated 4-110-105 requires disclosure of system security breaches to “any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
The law allows state agencies or businesses to delay notification if it’s determined that disclosure would harm an ongoing criminal investigation.
Notification letters were written and ready to be mailed over the weekend, but the agency has held off, Guntharp said.
“We have held off because we’re trying to get clarity on A, if there was an exit [of information], and B, if there is a [criminal] investigation ongoing, are we going to interfere with that investigation by releasing that letter?” Guntharp said.
Blake Townsend, a certified ethical hacker and cybersecurity researcher for the Little Rock company PC Assistance, said officials should know by now whether information was stolen, unless logs that track how data move were inadequate or deleted by the virus.
“Under the right setup, they should absolutely know if data had been [removed],” Townsend said. “With the right software in place, the right protections in place, they should know.”
Ethical hackers are tasked with searching for weaknesses and vulnerabilities
in systems administered by people who employ them. Townsend is not affiliated with Arkansas JobLink or America’s Job Link Alliance.
Messages left with Idaho Department of Labor spokesmen were not returned.
“We are still investigating and can’t comment at this time,” said Barton Lorimor, an Illinois Department of Employment Security spokesman.
It doesn’t appear the breach has been publicly reported in either state. State laws vary about when agencies or businesses must alert the public about information-security lapses.
Aside from Arkansas, Idaho and Illinois, the contractor hosts job-connection services for seven other states: Alabama, Arizona, Delaware, Kansas, Maine, Oklahoma and Vermont. Voicemails left Monday with media offices for appropriate agencies in each of those states were not returned.
America’s Job Link Alliance holds a $440,000 annual contract to manage Arkansas JobLink, according to a copy obtained by the Democrat-Gazette. The contractor must perform security maintenance upgrades and build complete backups of Arkansas JobLink data, the contract says.
The contract, which runs from Dec. 1, 2016 to Nov. 30, 2017, says the company must inform Workforce Services of any security breaches within 30 minutes of them occurring.
The firm’s director, Christine Bohannon, said Monday afternoon that the company would “soon” release
a statement.
An email signed by Bohannon and sent on March 15 to Workforce Services officials says errors were detected in at least three unspecified state systems, starting March 13. After reviewing database logs, the contractor determined that someone was attempting to access “demographics pages” midday March 14, Bohannon wrote.
“We isolated the root cause and implemented a fix,” Bohannon wrote in the email, obtained by the Democrat-Gazette.
Townsend, the ethical hacker, said the early information released indicates to him that someone intentionally hacked the system.
The alternative possibility — that someone used the system without knowing their computer was infected by the virus and thus accidentally inserted it — is improbable in part because of the sophistication required to target a specific system, Townsend said.
If someone obtained the data on Arkansans, the person could probably fetch about $46,000 by selling it through an online black market, Townsend estimated. Names, birth dates and Social Security numbers hold value for thieves, even if the quantity, 19,000, is a relatively “tiny” number, Townsend said.
An estimated 1.3 million records have been exposed through 312 breaches so far in 2017, according to the nonprofit Identity Theft Resource Center. Of those breaches, 19 were of government or military information.