Personal information including names, Social Security numbers, home addresses, and claim receipts was exposed to other claimants due to a security vulnerability detected by Deloitte Consulting on May 15. Deloitte is the technology vendor for PUA systems in several states, including Ohio.
“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement.
In a breach notification email sent to PUA claimants on May 20, ODJFS said the breach was fixed within one hour of discovery.
The department stated: “Over the weekend, Deloitte notified ODJFS that about two dozen individuals inadvertently had the capability to view other PUA claimants’ correspondence.”
According to the department there is no evidence to suggest that any “widespread data compromise” had occurred.
More than 161,000 Ohioans have applied for unemployment assistance offered in the wake of COVID-19. ODJFS has not revealed how many of these claimants were affected by the data breach.
Perhaps tellingly, every single Ohioan who has claimed PUA is being offered free credit monitoring by Deloitte Consulting for 12 months.
“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement. “Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences.
Frustrated claimants, some of whom are still waiting to receive financial assistance under the PUA program, reported the breach on social media.
ODJFS said action had been taken to ensure that the data breach was a one-off.
The department stated: “ODJFS holds the confidentiality of claimant data in the highest regard and agreed with the immediate steps Deloitte took to prevent any unauthorized PUA access in the future.”
Source: Infosecurity Magazine