The stunning report detailing extensive cybersecurity fraud issues at the Kansas Department of Labor that led to more than 80,000 Kansans having their identities stolen over two years was not even labeled “confidential” until the morning of a meeting in which it was to be discussed.
The reports were sent to the Unemployment Modernization and Improvement Council via email on May 13 — four days before the meeting. The Sentinel obtained copies of the reports before they were labeled “confidential.” We reported on the embarrassing conclusions and generic findings but withheld information that could be used to exploit the state computer system. But reporting on the state’s incompetence didn’t sit well with some committee members.
In an exchange during the May 17, meeting Kansas State Representative Stephanie Clayton, (D-Overland Park), expressed concern over the document leak and the Sentinel’s reporting.
Council Chairman Kansas State Rep. Sean Tarwater stated that the reports had only been labeled “confidential” as of that morning — presumably by the Kansas Department of Labor.
Council Member Jake Miller, in response, called the leak “embarrassing.”
“We’re sitting here, drilling KDOL for breaches within their systems, and then we go ahead and do this?” he said. “It’s embarrassing. We’re a council that’s supposed to be looking at security within departments and then we go and on day one of getting something that’s confidential … and we release it.”
Miller told the Topeka Capital-Journal that the Sentinel’s reporting is “not what was even told or discussed to us in either the reports or what was said in executive session.”
But Dave Trabert, CEO of the Sentinel’s parent company, Kansas Policy Institute, disputes Miller’s characterization.
“We don’t know what was discussed in executive session, but our story accurately reflects the findings in those reports. We withheld information that could be exploited by hackers, but the public has a right to know about government incompetence.”
Phil Hayes, vice president of HR firm The Arnold Group, who is also a member of the council, said in a phone interview that KDOL simply failed at basic security measures.
“My overall observation from the report is there’s a lot of elementary aspects of .. good IT security that, essentially, were not a priority — obviously,” he said. “The tough thing for me is, that report was a snapshot as of mid-April (of this year). So hopefully — if we were in an even worse position in the past — we’ve actually gotten some hatches battened down and closed some doors and locked them.
“But I can’t imagine what our posture looked like at the onset of the pandemic.”
KDOL attempts to deflect blame
KDOL attempted to deflect blame for the staggering identity fraud numbers — as many as 1 in 20 working-age Kansans had their identity stolen in two years — by suggesting the figures were skewed over other states because Kansas made it easier to report.
Deputy Secretary of Labor Peter Brady said the spike in numbers was — in part — because Kansas pushed those reporting ID theft to KDOL to report to the Federal Trade Commission as well.
“Every single person that reported fraud to the agency, even before the big spikes, was told in the email, they received ‘go report identity theft to the Federal Trade Commission,'” he said. “If you went to our website, it would say the same thing. We push that very heavily.”
Brady said he checked with neighboring states and found no similar push to report to the FTC.
He also noted that Michigan, which by some estimates paid out approximately $8.5 billion in unemployment fraud, never ranked in the top 50% of states for ID theft.
“What I would say is … the reason Kansas is so high is because … we directed individuals to report this.
“To be very clear, I’m not saying that fraud was not a significant problem in Kansas, it was a significant problem in many states, but what I am saying is for this very particular data set, it was largely driven by the actions of the agency, we could have just as easily told folks, ‘you know, what, don’t tell anybody but us.'”
Hayes, however, in the phone interview simply wasn’t buying it.
“KDOL, essentially says ‘yeah, we may be number one because we asked for it,'” Hayes said. Essentially, because we put a fraud reporting mechanism on our website, and we were funneling people to the Federal Trade Commission.”
However, Hayes said, during the height of the pandemic when identity fraud was closely tied to unemployment fraud, people who were victims were likely to go to the KDOL site, but even had they not, would likely have landed at the FTC’s site to report anyway.
“So they’re probably starting there and then saying ‘What’s going on?'” Hayes said. “If I’m an identity theft victim, I’m gonna say ‘what do I need to do?’ and I’m going to google, and see ‘oh, I can report this to the Federal Trade Commission.'”
Hayes said the issue has to be taken more seriously than it has been to this point.
“We should have been beating the drums and doing a heck of a lot more and what have we done for five and a half percent of the working population in Kansas that did have their identity stolen,” he said. “I had my identity stolen in 1998, and I still have hauntings from that. This never goes away.
“You’ve got to take additional steps and you’ve got to be much more mindful because you’re exposed and it’s just a matter of when the next occurrence is going to come now.”
