According to an America's JobLink Alliance (AJLA) press release, millions of job-seekers in at least 10 states may have had their sensitive information accessed by hackers. The incident allowed unauthorized access to the names, Social Security numbers, and dates of birth of persons in their database. The access occurred between Feb. 23 and March 14, 2017.
The 10 states that are impacted by this incident (so far) include: Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont.
The AJLA service is offered by the Department of Labor (DOL) and is managed by a third party. Kansas-based AJLA is used to coordinate federal unemployment and workforce development programs across the country.
According to FAQs on the AJLA press release: “On February 20, 2017, a hacker created a job seeker account in an America’s JobLink (AJL) system. The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers. This misconfiguration has since been eliminated.
America’s Job Link Alliance-Technical Support (ALJA-TS) first noticed unusual activity in AJL via system error messages on March 12. AJLA-TS immediately notified law enforcement, retained an independent forensic firm to investigate the cause and scope of the activity, and fixed the misconfiguration.”
National and Local Coverage of Data Breach Incident
The coverage of this incident has been widespread and will likely grow much further. The diversity of how this story is reported is fascinating and an important aspect of this security incident that state and local technology and security professionals need to take note of. Here are some of the news headlines:
Washington Times: Millions of job seekers likely compromised by massive employment services breach — “The FBI has reportedly launched an investigation upon being notified this week of a recent breach suffered by America's Job Link Alliance (AJLA), an online portal used to connect job seekers in several states with potential employers.
The portal was breached last month for the first time in its nearly 50-year history after an unauthorized party exploited a vulnerability in its online system, it said in a statement Wednesday.”
Burlington Free Press: Data Breach Could Affect thousands in Vt. — “Up to 180,000 Vermont accounts on a state vendor's job search website may have been compromised in a data breach, Gov. Phil Scott announced Thursday, making the breach much larger than previously believed.”
Central Illinois Proud.com: Data beach affecting more than a million Illinoisans — “The Illinois Department of Employment Security says one of its vendors experienced a data breach, affecting approximately 1.4 million job seekers in Illinois.
The vendor says the vulnerability wasn't a result of deficiency in software maintenance by the state, and 10 states may be impacted.”
WHNT.com: AJL offers free credit monitoring after data incident affecting Alabama job seekers — "A recent security breach of the America’s JobLink (AJL) system, an online job database, has possibly caused Alabamians’ personal information to be exposed. The site, www.joblink.alabama.gov, is maintained by America’s Job Link Alliance.
Now, AJL has established a call center to answer question from those affected. 1-844-469-3939 is the toll-free number, and you can call from 8 A.M.-8 P.M. CST Monday through Friday. You can also email http://www.AJLAincidentresponse@AJLA.net.
AJLA-TS also established a method to offer those affected a year of free credit monitoring services. If you’re interested, it is instructing customers to look out for an email from AJLA within the next week."
Delmarva Public Radio: Data Breach at Delaware Labor Department — “Officials say more than 200,000 Delaware residents have been put at risk of identity theft following a breach of a state Labor Department job-seeker database earlier this month. …”
More Details on AJLA and Security Incident:
According to the AJLA website, “America’s Job Link Alliance (AJLA) is an alliance of workforce organizations partnering to produce high-quality information technology, while maximizing the return on investments for members. Our products empower workforce agencies to deliver exceptional customer service and drive the economy by connecting employers and job seekers.”
Here are a few of the FAQs answered at the AJLA website:
Q: When will I be notified if my account was breached?
If you have a valid email address on file and your account was impacted by the incident, you will likely be notified by email within five to 10 business days from March 24, 2017.
Q: Do you suspect that my information has been used fraudulently?
We do not have any evidence that your information was actually misused, but we take our obligation to protect your information seriously and wanted to ensure that you received notification as soon as possible.
In addition, there are answers to questions about changing passwords and accessing your accounts, if you were impacted by this incident.
For background, the current work of AJLA covers the following states shown below in orange; however, only 10 states have been called out in this incident so far.
Member states within the AJLA network
Although this data breach is a significant national incident that will takes years to fully recover from, I commend AJLA for a very good incident response effort so far, with a good Q/A section on their website, which I hope is regularly updated. I have been impressed with how quickly they have made information available to various state government organizations around the country. They also did not sit on this incident information for months, or even years, as other public- and private-sector organizations have done.
I urge anyone who thinks that they may be impacted by this incident to visit their state government’s job seekers Web page and/or call their state’s local service — rather than reaching out to AJLA directly.
Also, take advantage of the free credit monitoring services offered, because millions of Americans never actually sign up for the free services that are offered after breach incidents such as this one. You must sign-up for the protections to be put in place.
Other recommendations, such as changing passwords, are listed at the websites' FAQs provided at the links above.
Finally, new data breaches like this one always raise questions regarding the wisdom of states working together to leverage economies of scale for efforts such as job seeking and career development. There are literally hundreds of other ways that governments use third parties to provide a vast array services across many different levels of government across America and the world. By and large, this collaboration makes sense and saves tax dollars. It also provides better service for more citizens.
Nevertheless, the importance of cybersecurity is once again raised to the forefront by this incident — in a core function of government nationwide. One protection mistake can have devastating impacts that will impact millions of people.
I urge local, state and federal governments to take additional cyberprotection steps, such as instituting bug bounties, to find and correct these security holes before they become national (and local) headlines. Other areas of governments (and their contractors) must learn from what just happened in this incident.