The formal release earlier this month of a supplemental report to a forensic cybersecurity audit of the Kansas unemployment system, first reported by the Sentinel more than four months ago, detailed not just the rampant fraud that nearly overwhelmed the system — but massive incompetence and inattention by Governor Laura Kelly’s administration.
According to the Topeka Capital-Journal, the supplemental report from FORVIS, LLP details that of the $3.5 billion paid out by the system, as much as $466 million was fraud.
In 2019, Kansas ranked 39th in the nation in identity theft on a per-capita basis. But Kansas shot up to #1 in 2020 and #2 in 2021 largely due to rampant incompetence at the Kansas Department of Labor and the Kelly administration, according to sources who have seen confidential internal reports.
Per federal trade commission numbers, there were just 78 reports per 100,000 residents in 2019, or 2,273 total complaints. In 2020 there were 1,483 complaints per 100,000, or 43,211 in total; that is an increase of 1,801%.
The cybersecurity issue improved marginally in 2021, with Kansas falling to No. 2 in the nation but still reporting an additional 39,461 complaints of identity theft for a total of 82,672 reports for the two years. In other words, with approximately 1.6 million adults between 18 and 65 in Kansa, roughly one in 20 found themselves victims of identity theft — and some 50,000 cases were reported to the federal government.
These problems were brought to the attention of Kansas Governor Laura Kelly’s administration in 2020, and the immediate solution — identity verification for the online claims system — was not implemented until January of 2021. That was fully eight months after business leaders — and the federal government — warned states that fraud was going to be an issue during the pandemic.
As the Sentinel reported over a year ago, the Kelly administration simply didn’t take the unemployment fraud and identity theft problems seriously — despite Kelly being a victim.
“In my opinion, the Governor made light of it, and I said this publicly in the last meeting,” Phil Hayes, vice president of HR firm The Arnold Group and a member of the Unemployment Modernization and Improvement Council, said in a phone interview. “You know, she received an unemployment determination notice in October 2021 and essentially just said, ‘Yeah, we know it’s a problem; I got a fraudulent claim on me as well.’
“You know, that didn’t make me feel better, but that should have been the true wake-up call to say, ‘You know what? This is a huge issue.'”
Straight answers on cybersecurity are not forthcoming
Hayes said the council is still not getting the answers they need on the status of the cybersecurity vulnerabilities identified in the initial security audit.
“We’ve been arm-wrestling and trying to get status updates on the penetration in the cybersecurity piece,” Hayes said. “We’re just looking for specific feedback on statuses of the vulnerabilities that have been identified in the form of an audit. I think there were six ‘criticals,’ there’s several dozen high (priority) vulnerabilities or issues and several medium and low level (vulnerabilities).”
Hayes said at the recent meeting of the council, he specifically asked the state’s Chief Information Security Officer Jeff Maxon how long it normally takes to resolve those sorts of issues and said Maxon “kind of danced around the issue” and then said most could be resolved in one to six months, but others could take as much as two years.
“We’re still not getting square answers,” Hayes said.
93 percent of fraudulent claims were preventable
Approximately 85% of fraudulent claims occurred before multifactor authentication — a fairly standard security practice — was implemented, but according to Hayes, that number, while disturbing, is misleading
“If you look at the supplemental report, they are estimating 33 million out of the 466 million occurred after the MFA, so 93% of the fraud dollars in the state of Kansas — 93% could have been prevented with MFA,” Hayes said. “But it took us eight months to put that in place when the business community pointedly asked multiple times as early as June of 2020.”
Hayes said auditors disagreed on just how much fraud there was — some put the estimate as high as $600 million.
“We were led to believe, and told, that our system is too old and that’s the problem with our state and what caused the siphoning of the fraud dollars,” Hayes said. “It’s not, we have the same old system today, and we had it when we closed it down for the weekend, put the MFA in place — and overnight, the fraud stopped, and it eventually became non-existent.”
Outdated computer system update underway
The fact that the Kelly administration allowed the problem to fester as long as it did and, rather than hiring a contractor on an emergency basis, began — by the administration’s own admission “a multi-year initiative focused on transforming the agency’s business processes and core technology systems” — underscores the fundamental lackadaisical approach the Kelly administration took on this issue.
The issues with the system far predate Kelly’s administration. Work began in 2002 to modernize the system and was stopped in 2011 by the Brownback administration; Kelly restarted the process in 2019 under Secretary Garcia and then allowed it to stall in 2020 “due to the COVID-19 pandemic” and did not even send out requests for proposals until April 1, 2021.
However, a contract to update the system was not signed until April 5 of this year, when Tata Consultancy Services was selected to handle the upgrades — more than a year after RFPs were sent.
The release from KDOL only states that TCS will “begin” work to modernize the system; when that might be done — and what the final cost will be is unclear.