The Ohio Department of Job and Family Services denies accusations that its system has been hacked and says account takeovers have been greatly reduced thanks to months of security enhancements.
But the state’s unemployment system, which has encountered massive amounts of fraud for more than a year, is only now moving to set up a system to reimburse Ohioans who had their benefits rerouted by account hijackers.
Unemployment fraud has been a huge problem in Ohio and elsewhere around the country since the start of the coronavirus pandemic. But much of the focus has been on scammers applying on their own for benefits using stolen personal information without the victim’s knowledge. Account takeovers are different: thieves gain access to legitimate accounts and change bank routing numbers to obtain victims’ benefits.
The Ohio Department of Job and Family Services expects in about two weeks to start accepting applications from people who had their accounts hijacked, according to ODJFS spokesman Bill Teets. After receiving the applications, ODJFS will review them and pay restitution to victims, he said.
Teets said ODJFS is only now working to set up a reimbursement program for such victims because the U.S. Department of Labor didn’t explicitly say until a couple of months ago that state unemployment programs could do such a thing (though the feds never said states couldn’t reimburse victims). Since then, it’s taken ODJFS a couple of months to set up a system to accept applications from victims of account takeovers, investigate their claims, and pay money as needed, he said.
It’s unclear how many Ohioans have had their legitimate unemployment benefits accounts taken over by intruders, Teets said.
“Generally speaking we’ve not been processing instances of account takeovers, as we await our final process,” Teets said in a statement. “Seeing those involved may help us determine if this is an instance of some sort of one-off situation, or perhaps an instance of something similar to an account takeover, but perhaps not.”
Teets also said account hijackings have now been “minimized” thanks to action taken by ODJFS to tighten security, including signing contracts worth millions to cybersecurity contractors.
ODJFS has repeatedly denied that scammers gained access to people’s accounts by hacking into the state’s unemployment computer system. Rather, Teets said, when accounts have been taken over, it’s been because criminals have obtained victims’ login information through various means, including sending phishing emails.
“To our knowledge, we have no indication that JFS systems have been hacked,” Teets said.
But some Democratic lawmakers don’t believe that. “I believe they’re lying,” state Sen. Teresa Fedor, a Toledo Democrat, told WEWS-TV in Cleveland.
Sate Rep. Jeff Crossman, a Parma Democrat, said he’s heard from numerous constituents who had their accounts hijacked and noted that many had their benefits routed to a single bank in South Dakota. Crossman said he believes ODJFS’ explanation that scammers are relying on stolen personal information is “crazy.”
Crossman continued: “They’re blaming the victim, basically, instead of actually doing the analysis to figure out if their systems have actually been compromised.”
Heather Keyes of Toledo testified earlier this month before a special legislative committee examining unemployment system issues that someone accessed her state unemployment account and stole $900 by changing her bank account information. She spoke at length about the bureaucratic runaround she faced, including spending on the phone with ODJFS agents trying to rectify the problem, without success.
Keyes said she rejected ODJFS’ explanation to her that the thieves must have accessed her account via a phishing email.
“No I didn’t — I’m computer-savvy,” she said. “That’s not happened to me.”
Crossman has called on Gov. Mike DeWine’s administration to activate the state’s cyber reserve force. But during the legislative committee meeting, ODJFS Director Matt Damschroder waved off that suggestion, noting that his department has already made security enhancements with the help of the contractors and outside private-sector executives.
There have been limited Ohio unemployment data breaches in the past, though ODJFS has said that there has been no evidence that the personal information released was used improperly.
©2021 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
