Hack pushes state to re­view con­tract

Breach hit data of 598,533 job seek­ers

Northwest Arkansas Democrat-Gazette - - FRONT PAGE - BRAN­DON MULDER

The Arkansas Depart­ment of Work­force Ser­vices is shop­ping for a new data­base provider to host and ad­min­is­ter the state’s vir­tual em­ploy­ment tool af­ter nearly 600,000 Arkansans were af­fected by a data breach in the spring.

The Kansas-based data­base con­trac­tor Amer­ica’s Job Link Al­liance-TS, which has con­tracted with the state since 2007, re­ported to the state agency in March that the records of at least 19,000 Arkansas job seek­ers had been com­pro­mised, although it wasn’t clear what data the hack­ers had ex­tracted.

The state agency now knows the at­tack af­fected 598,533 Arkansans, and that hack­ers ob­tained pri­vate sen­si­tive data, such as So­cial Se­cu­rity num­bers, names and in some cases phone num­bers and ad­dresses, spokesman Steven Gun­tharp said.

The depart­ment also said Fri­day that no one has re­ported any iden­tity theft re­lated to the com­pro­mise.

The Work­force Ser­vices Depart­ment has con­tracted with the Kansas com­pany since 2007, when the state

launched its Arkansas JobLink pro­gram. The com­pany’s data­base is a repos­i­tory for all data sub­mit­ted by job seek­ers through the state’s JobLink pro­gram, as well as for job pro­grams in 15 other states that have con­tracts with the com­pany.

Ac­cord­ing to a news re­lease from the com­pany, the data breach scraped or down­loaded pri­vate in­for­ma­tion from more than 5.5 mil­lion job seek­ers across 10 of the com­pany’s 16 client states: Alabama, Arkansas, Ari­zona, Delaware, Idaho, Illi­nois, Kansas, Maine, Ok­la­homa and Ver­mont.

The com­pany is­sued an “in­ci­dent call” to the state March 15, one day af­ter the at­tack was dis­cov­ered. Arkansas and other states soon af­ter re­quested as­sis­tance from the FBI, which launched an in­ves­ti­ga­tion that is on­go­ing.

This year’s $440,000 con­tract be­tween Arkansas Depart­ment of Work­force Ser­vices and Amer­ica’s Job Link Al­liance-TS, which runs

from Dec. 1, 2016, to Nov. 30, 2017, stip­u­lates that the com­pany must in­form the depart­ment of any se­cu­rity breaches within 30 min­utes of them oc­cur­ring.

The depart­ment, how­ever, does not feel the com­pany met that pro­vi­sion of the con­tract.

“Ac­cord­ing to the time they gave us and when they let us know, we do not think they no­ti­fied us within 30 min­utes,” Gun­tharp said.

In re­sponse to the in­ci­dent, Work­force Ser­vices Di­rec­tor Daryl Bas­sett ar­ranged a com­mit­tee that is shop­ping for other pos­si­ble ven­dors be­fore the con­tract with Amer­ica’s Job Link Al­liance ex­pires in Novem­ber.

“We’re ac­tively look­ing at other ven­dors,” Gun­tharp said.

“To say that we’re 100 per­cent go­ing to con­tinue our con­tract with them, we just don’t know yet at this time,” he said.

The Arkansas DemocratGazette re­ported in March that an email signed by com­pany di­rec­tor Christie Bo­han­non and sent to Work­force Ser­vices Depart­ment of­fi­cials said the com­pany

was made aware of a “po­ten­tial is­sue” March 12, three days be­fore the state was no­ti­fied. The com­pany’s in­ves­ti­ga­tion con­tin­ued into the next day, Mon­day, when it de­ter­mined that one job seeker was us­ing a bot to ac­cess users’ “de­mo­graph­ics pages,” and by Tues­day a fix had been im­ple­mented.

A week later, the com­pany posted a state­ment on its web­site, ex­plain­ing that a hacker “ex­ploited a mis­con­fig­u­ra­tion in the ap­pli­ca­tion code to gain unau­tho­rized ac­cess to cer­tain in­for­ma­tion of other job seek­ers,” and that the “code mis­con­fig­u­ra­tion” was in­tro­duced into the com­pany’s sys­tem through a sys­tem up­date in Oc­to­ber 2016.

“This mis­con­fig­u­ra­tion has since been elim­i­nated,” the state­ment said.

The state­ment also gave an ex­pla­na­tion as to why the com­pany ap­peared slow to no­tify its clients and the pub­lic.

“It was im­por­tant that AJLA-TS iden­tify the mis­con­fig­u­ra­tion and elim­i­nate it from the sys­tem,” the state­ment said. “The foren­sic firm’s anal­y­sis re­quired

the re­view of a sig­nif­i­cant amount of sys­tem data. This anal­y­sis was needed to con­firm that the hacker had ac­tu­ally ac­cessed in­di­vid­u­als’ in­for­ma­tion, so as not to un­nec­es­sar­ily alarm af­fected in­di­vid­u­als.”

Bo­han­non did not re­turn phone calls Fri­day seek­ing re­sponse to in­quiries about whether the 30-minute no­tice stip­u­la­tion in the state’s con­tract was met.

The Work­force Ser­vices Depart­ment did not im­me­di­ately alert peo­ple who used JobLink of the se­cu­rity lapse un­til it could be de­ter­mined that per­sonal data was stolen.

Arkansas Code An­no­tated 4-110-105 re­quires dis­clo­sure of sys­tem se­cu­rity breaches to “any res­i­dent of Arkansas whose un­en­crypted per­sonal in­for­ma­tion was, or is rea­son­ably be­lieved to have been, ac­quired by an unau­tho­rized per­son.”

The law also al­lows state agen­cies or busi­nesses to de­lay no­ti­fi­ca­tion if it’s de­ter­mined that dis­clo­sure would harm an on­go­ing crim­i­nal in­ves­ti­ga­tion.

Email no­ti­fi­ca­tions were later sent to all users with

a valid email ac­count, a no­tice was placed in the Demo­crat-Gazette, and a dis­claimer was placed on the JobLink web­site, Gun­tharp said.

A pre­vi­ous Demo­crat-Gazette ar­ti­cle stated that the per­sonal data could fetch ap­prox­i­mately $46,000 on the on­line black mar­ket, ac­cord­ing to Blake Townsend, a cer­ti­fied eth­i­cal hacker and cy­ber­se­cu­rity re­searcher for the Lit­tle Rock com­pany PC As­sis­tance.

The Kansas News Ser­vice re­ported Thurs­day that the state of Kansas, which reg­u­lates the data­base com­pany, will pay for up to a year of credit mon­i­tor­ing ser­vices for vic­tims in nine of the 10 af­fected states, in­clud­ing Arkansas. Vic­tims re­sid­ing in Delaware will re­ceive three years of credit mon­i­tor­ing be­cause of con­trac­tual obli­ga­tions to the state, a spokesman told the news ser­vice.

Amer­ica’s Job Link Al­liance-TS also rec­om­mends that all po­ten­tially af­fected in­di­vid­u­als ob­tain free credit re­ports at an­nu­al­cred­itre­port.com or call (877) 3228228 to re­view credit re­ports for any po­ten­tial fraud­u­lent ac­tiv­ity.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.