Hack pushes state to review contract
Breach hit data of 598,533 job seekers
The Arkansas Department of Workforce Services is shopping for a new database provider to host and administer the state’s virtual employment tool after nearly 600,000 Arkansans were affected by a data breach in the spring.
The Kansas-based database contractor America’s Job Link Alliance-TS, which has contracted with the state since 2007, reported to the state agency in March that the records of at least 19,000 Arkansas job seekers had been compromised, although it wasn’t clear what data the hackers had extracted.
The state agency now knows the attack affected 598,533 Arkansans, and that hackers obtained private sensitive data, such as Social Security numbers, names and in some cases phone numbers and addresses, spokesman Steven Guntharp said.
The department also said Friday that no one has reported any identity theft related to the compromise.
The Workforce Services Department has contracted with the Kansas company since 2007, when the state
launched its Arkansas JobLink program. The company’s database is a repository for all data submitted by job seekers through the state’s JobLink program, as well as for job programs in 15 other states that have contracts with the company.
According to a news release from the company, the data breach scraped or downloaded private information from more than 5.5 million job seekers across 10 of the company’s 16 client states: Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont.
The company issued an “incident call” to the state March 15, one day after the attack was discovered. Arkansas and other states soon after requested assistance from the FBI, which launched an investigation that is ongoing.
This year’s $440,000 contract between Arkansas Department of Workforce Services and America’s Job Link Alliance-TS, which runs
from Dec. 1, 2016, to Nov. 30, 2017, stipulates that the company must inform the department of any security breaches within 30 minutes of them occurring.
The department, however, does not feel the company met that provision of the contract.
“According to the time they gave us and when they let us know, we do not think they notified us within 30 minutes,” Guntharp said.
In response to the incident, Workforce Services Director Daryl Bassett arranged a committee that is shopping for other possible vendors before the contract with America’s Job Link Alliance expires in November.
“We’re actively looking at other vendors,” Guntharp said.
“To say that we’re 100 percent going to continue our contract with them, we just don’t know yet at this time,” he said.
The Arkansas DemocratGazette reported in March that an email signed by company director Christie Bohannon and sent to Workforce Services Department officials said the company
was made aware of a “potential issue” March 12, three days before the state was notified. The company’s investigation continued into the next day, Monday, when it determined that one job seeker was using a bot to access users’ “demographics pages,” and by Tuesday a fix had been implemented.
A week later, the company posted a statement on its website, explaining that a hacker “exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers,” and that the “code misconfiguration” was introduced into the company’s system through a system update in October 2016.
“This misconfiguration has since been eliminated,” the statement said.
The statement also gave an explanation as to why the company appeared slow to notify its clients and the public.
“It was important that AJLA-TS identify the misconfiguration and eliminate it from the system,” the statement said. “The forensic firm’s analysis required
the review of a significant amount of system data. This analysis was needed to confirm that the hacker had actually accessed individuals’ information, so as not to unnecessarily alarm affected individuals.”
Bohannon did not return phone calls Friday seeking response to inquiries about whether the 30-minute notice stipulation in the state’s contract was met.
The Workforce Services Department did not immediately alert people who used JobLink of the security lapse until it could be determined that personal data was stolen.
Arkansas Code Annotated 4-110-105 requires disclosure of system security breaches to “any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
The law also allows state agencies or businesses to delay notification if it’s determined that disclosure would harm an ongoing criminal investigation.
Email notifications were later sent to all users with
a valid email account, a notice was placed in the Democrat-Gazette, and a disclaimer was placed on the JobLink website, Guntharp said.
A previous Democrat-Gazette article stated that the personal data could fetch approximately $46,000 on the online black market, according to Blake Townsend, a certified ethical hacker and cybersecurity researcher for the Little Rock company PC Assistance.
The Kansas News Service reported Thursday that the state of Kansas, which regulates the database company, will pay for up to a year of credit monitoring services for victims in nine of the 10 affected states, including Arkansas. Victims residing in Delaware will receive three years of credit monitoring because of contractual obligations to the state, a spokesman told the news service.
America’s Job Link Alliance-TS also recommends that all potentially affected individuals obtain free credit reports at annualcreditreport.com or call (877) 3228228 to review credit reports for any potential fraudulent activity.