In 2019, Kansas ranked 39th in the nation in identity theft on a per-capita basis. But Kansas shot up to #1 in 2020 and #2 in 2021 largely due to rampant incompetence at the Kansas Department of Labor and the Kelly administration, according to sources who have seen confidential internal reports.
Per federal trade commission numbers, there were just 78 reports per 100,000 residents in 2019 or 2,273 total complaints. In 2020 there were 1,483 complaints per 100,000, or 43,211 in total; that is an increase of 1,801%.
Things improved marginally in 2021, with Kansas falling to No. 2 in the nation but still reporting an additional 39,461 total complaints of identity theft for a total of 82,672 reports for the two years. In other words, with approximately 1.6 million adults between 18 and 65 in Kansa, roughly one in 20 found themselves victims of identity theft.
These problems were brought to the attention of Kansas Governor Laura Kelly’s administration in 2020, and the immediate solution — identity verification for the online claims system — was not implemented until January of 2021. That was fully eight months after business leaders — and the federal government — warned states that fraud was going to be an issue during the pandemic.
As the Sentinel reported nearly a year ago, the Kelly administration simply didn’t take the unemployment fraud and identity theft problems seriously — despite Kelly herself being a victim.
Indeed, the Sentinel, among others, started trying to discover the extent of the fraud in November of 2020 — only to be told after two weeks of back and forth with KDOL on Kansas Open Records Requests — the department “had no records responsive to our requests.”
Explosive reports detail incompetence in Topeka led to record identity theft, unemployment fraud
Sources say the confidential, internal reports detail the utter incompetence, first reported here last summer, and the lack of urgency within the Kelly administration to address the issue — even as Kansans faced months of delays in getting payments after Kelly shut down most of the state in response to COVID-19.
A timeline shows that from March 19, 2020, through Feb. 2, 2021, the business community tried to bring attention to the issue on 28 separate occasions, the legislature on 15 occasions, and the administration received no less than 7 warnings from the federal government in approximately a 12 month period.
The first substantive action to address the issue didn’t occur until Jan. 27 of 2021 when Kelly ordered the shutdown of the entire UI system to implement an identity verification system the business community had been repeatedly told couldn’t be done, given the antiquated nature of Kansas’ computer system.
On Feb. 2, when KDOL resumed UI operations the report states 365,000 fraudulent claim attempts were stopped before the close of business.
In that 12-month period, Kansas had four different secretaries of labor. On June 22, 2020, two days after the Kansas Department of Labor was reported to be clawing back UI overpayments from Kansans’ checking accounts — without warning — and causing overdrafts for many across the state, KDOL Secretary Delia Garcia resigned, with Ryan Wright appointed acting secretary until Dec. 22, 2020. On Dec. 22, Brett Flaschbarth was appointed acting secretary, and then just over a month later on Jan. 29, 2021, Kelly appointed Amber Schultz as acting secretary. Shultz was later confirmed as the first permanent head of KDOL in nearly a year.
Moreover, the reports indicate a systemic lack of seriousness regarding cybersecurity.
The reports indicate there is no formal inventory of what hardware the department owns, a lack of proper network monitoring, no software inventory, or even the ability to detect new software on the network. And while the department performs a weekly vulnerability scan on the network, any remediation is not documented.
Additionally, the report found KDOL does not even employ content filtering software that would block access to porn sites, social media, personal email, gambling sites, cloud storage — or remote access sites — on the internal network. KDOL doesn’t know who is on the system from within or what software is on the system, making attacks from within very easy.
In total, thirty-one separate issues are documented within the computer system — some so sensitive they cannot be reported on.
Outdated computer system will not be replaced until sometime next year
Despite the delays and fraud, caused in part by an antiquated computer system nearly a half-century old, it will be months yet before the system is replaced.
Gov. Kelly made few moves to deal with the outdated technology until July 2020 — months after lockdowns put millions out of work nationwide — when she let a $22 million, no-bid contract to Accenture to, among other things, staff a call center.
While it is true that the issues with the system far predate Kelly’s administration, work began in 2002 to modernize the system and was stopped in 2011 by the Brownback administration, Kelly restarted the process in 2019 under Secretary Garcia, and then allowed it to stall in 2020 “due to the COVID-19 pandemic” and did not even send out requests for proposals until April 1, 2021.
However, a contract to update the system was not signed until April 5 of this year when Tata Consultancy Services was selected to handle the upgrades — more than a year after RFPs were sent.
The release from KDOL only states that TCS will “begin” work to modernize the system; when that might be done — and what the final cost will be is unclear.
The fact that the Kelly administration allowed the problem to fester as long as it did, and rather than hiring a contractor on an emergency basis, began — by the administration’s own admission “a multi-year initiative focused on transforming the agency’s business processes and core technology systems” — underscores the fundamental lackadaisical approach the Kelly administration took on this issue.
“The current administration … received ample warning notice, concerns, and there was time to act,” Phil Hayes, vice president of HR firm The Arnold Group and chairman of the Kansas Employment Security Board of Review, said last year. “It just felt like it wasn’t a priority.”