A glaring security flaw in the Kansas Unemployment System was discovered by an average user who was able to accidentally hack and retrieve someone else’s information.
Lisa Hirst– like so many others stuck on hold — was unable to contact the Kansas Department of Labor to tell them, and was forced to reach out to a TV station to draw attention to the security breach.
According to KWCH, Hirst reached out to the station in late January, letting them know that she’d found a flaw.
Just wanting a call back from KDOL about her claim, KWCH reported, Hirst entered her social security number into the system, but mistyped it — and pulled up someone else’s information.
She wasn’t even logged into the system.
“I was shocked that I didn’t even have to sign in to a KDOL account to access this page,” Hirst told the station. “I Googled it to find it. I Googled, ‘Kansas PUA callback, (and) any number you type in that, if they have an account with KDOL, you’re going to bring up that person’s information, and right now, KDOL has hundreds of thousands of people in their system.”
Meanwhile, the Kelly administration insists the security holes have been filled and that the issues are related to outdated equipment — the mainframe computers the Kansas unemployment system runs on are more than four decades old — and the Transunion and Experian data breaches of a few years ago.
It’s unknown if Hirst was able to accidentally hack the system before or after the State paid Accenture over $4 million in consulting fees for PUA and other security consulting services.
Not just lack of transparency, lack of data
According to the Kansas City Star, KDOL isn’t even sure how much fraud there’s been.
“The department has struggled to find out just how many fraudulent claims have been paid out,” the Star wrote late in January. “But here are two possible signs that the fraud may be scandalously large: Initial filings for jobless benefits were thought to have surged by more than 76,000 the week of Jan. 16 — tens of thousands above those at the start of the year.”
The Sentinel, too, has been attempting to determine just how many fraudulent claims have been paid.
In late November, the Sentinel sent a Kansas Open Records Request asking for “Total number of unemployment claims for the dates July 1, 2020 through Nov. 19, 2020. Total number of attempted fraudulent claims for the same dates. Total number of fraudulent claims paid out for the same dates. Total dollar figure of fraudulent unemployment claims paid out. Any documentation detailing how residents whose identity was compromised as part of a fraudulent claim were notified.”
After nearly two weeks of back and forth, the Sentinel was told there were no records responsive to that request.
Meanwhile, the fraudulent claims have continued to mount, and apparently, KDOL has no idea how bad the problem might be, nor any way to tell Kansans if they’ve had their identity stolen for unemployment fraud.
Rep. Sean Tarwater, (R-Stillwell) who heads the House Commerce Committee, blasted KDOL to the Star, saying KDOL “won’t say how many fraudulent claims have been paid, how many dollars have been squandered in fraudulent payments or what steps they will take to stop it. Either they are completely incompetent, or they know the magnitude of the problem and want to hide it.
“We have a little over 1.1 million workers and have had over 1 million initial claims. These numbers do not add up.”
Tarwater said the dollar amount of fraudulent claims could be north of $400 million, and in the KWCH piece, Rep. Stephen Owens, (R-Hesston), said the numbers could be as high as $700 million — and growing.
“Now we’re getting it could be as high as $700 million in insurance claim fraud that has been paid out over the last nine months,” Owens said.
The hack shouldn’t have blindsided KDOL
The problems should have been anticipated. The outdated computer system has required replacement literally for decades, but in May of 2019, Governor Kelly canceled a Brownback Administration no-bid contract for computer overhauls at both the Department of Revenue and KDOL.
There appeared, however, to be little urgency to get the system updated, and while the pandemic could not have been anticipated, the Federal Government warned in March 2020 to expect massive fraud.
“We were warned by the federal government back in March that fraud was going to be unbelievable as it relates to these unemployment benefits, yet we are the last state in the nation to take steps to address the security of our website,” Owens said.
Despite that warning, Kelly made few moves to deal with the outdated technology until July of last year — months after lockdowns put millions out of work nationwide — when she let a $22 million, no-bid contract to Accenture to, among other things, staff a call center.
Included in the $22 million total was more than $4 million for PUA and other security consulting services. It’s unknown if Hirst was able to hack the system before or after Accenture was involved.
Damage done
KDOL insisted most of the fraud was related to a data breach from several years ago, and fraudsters were obtaining personal information from the “dark web.”
However, Owens told KWCH that Hirst’s accidental “hack” clarified things.
“Now that this information has been brought to light, it actually, it helps me understand what might actually be going on,” Owens said. “Originally when we were questioning the fraud department, they were referring back to the Experian and Equifax breach of data a few years back, and possibly that data was sold on the dark web that those social security numbers were being utilized to manipulate our system … But if it’s as easy as (Hirst) has found it to be, then there wouldn’t even require any purchase on the dark web the information is just there and it’s just a click away. The state needs to be held accountable for the failure, we need to ensure that we are doing our part to protect people’s identities.”