An unemployment benefits website run by the Arkansas state government suffered a large data breach that left the personal information of thousands of applicants exposed, state officials confirmed.
Arkansas was forced to temporarily shut down an unemployment benefits program last week after a data breach potentially exposed the personal information of some 30,000 state residents.
The Pandemic Unemployment Assistance (PUA) program had been rushed into development to field the sudden flood of unemployment claims from self-employed and gig economy contractors put out of work as a result of the novel coronavirus, officials said in a press conference Saturday.
"Last night I learned of a potential security incident in which an applicant seems to have illegally accessed the [PUA] system. When this was discovered, it was necessary to shut the system down," Gov. Asa Hutchinson said during the press conference. Hutchinson said police and the state's cyberinsurance carrier had been notified, and that a forensic investigation was underway.
A nearly identical data breach occurred in Illinois this week, highlighting the stress that COVID-19 has put on governments as they rush to stand up such workforce programs.
The Arkansas site was developed by private vendor Protech Solutions, said Hutchinson, a company that the government had worked with in the past.
The rush to stand up the new website came as a result of the passage of the CARES Act, which channels federal funding to states to deal with the recent nationwide unemployment spikes, said Secretary of Commerce Mike Preston. CARES requires state governments to cover certain types of contractors, such as independent and self-employed workers, that had "never been covered before."
"Obviously our team has been spread as thin as possible trying to cover our existing unemployment programming system and trying to handle the additional claims that we're seeing," said Preston. "It was almost imperative that we had to bring in some additional outside help because we just didn't have the capacity."
"If we find during our investigation that any personal, sensitive data has been compromised, then steps will be taken, including the notification to the applicants or anyone else who has been," Hutchinson said, adding that anyone who has been impacted will receive credit monitoring services.
According to the Arkansas Times, the breach was discovered by a computer science professional who visited the site hoping to find work. When he did a cursory review, he discovered that the site had been configured so that claimants' personal data was openly available on the website, including birthdays and social security numbers.