HARRISBURG, Pa. (WHTM) – The Pennsylvania Department of Labor and Industry (L&I) on Wednesday admitted for the first time that hackers were diverting Pennsylvanians’ unemployment compensation checks into fraudulent accounts and that the new The state unemployment benefit system did not use common security. measure, which cybersecurity experts have called a “minimum standard,” to prevent attacks.
The admission follows a week of reporting by abc27 News on the attacks.
L&I “has detected an escalation in attempts by fraudsters to steal unemployment benefits through increasingly aggressive and sophisticated programs,” a department spokesperson told abc27 News and later in a report. press release sent to all media.
“The system doesn’t look sophisticated at all,” said Jonathan S. Weissman, senior lecturer in the computer security department at the Rochester Institute of Technology (NY), corroborating a view expressed at abc27 earlier in the report. week by another cybersecurity expert. âCybercriminals find usernames and passwords – and try them. If they work, they work.
The problem, according to both? The system lacks multi-factor authentication, which would require someone to change their banking information to physically own – for example, although it could be something else – the legitimate requester’s cell phone.
Get daily news alerts, weather and breaking news straight to your inbox! Subscribe to abc27 newsletters here
“Multi-factor authentication, a two-step process that will add an additional layer of protection, will be added for requesters,” the L&I statement said on Wednesday, confirming the current absence of such a process.
âL&I takes seriously its responsibility to protect taxpayer dollars and the personal data of individuals. We will continue these efforts in an aggressive and transparent manner, âL&I Secretary Jennifer Berrier said in the statement.
Job seekers who called and emailed abc27 News, following the first report, told similar stories from L&I phone reps telling them the problem was widespread and started shortly after the migration summer to the new system. L&I previously disclosed fraudulent attempts to file new jobless claims – and identity verification measures to combat those attempts – but not the hacking and embezzlement of existing accounts.
Why the timing of Wednesday’s announcement?
“Definitely the story on TV,” said the woman who first reported the scheme. âIt is certainly not a coincidence. They were fully aware of the issues long before I brought it to your station.
She credited the report but also other viewers who came forward, indicating the potential extent of the problem.
L&I has yet to reveal the full extent of the problem, in terms of the number of claimants whose money has been stolen or the amount of money stolen, or whether it can be recovered.
The woman who originally reported the issue and another viewer told abc27 on Wednesday that their issues were resolved after the first story. Others said they were still waiting.
“It’s horrible. You have to empathize” with the victims of theft, said Senator Kristin Phillips-Hill (R-York), who chairs the State Senate’s Communications and Technology Committee . “If we just put a few more procedures in place to make these accounts more secure, we probably wouldn’t be having this conversation today.”
She also credited the report and the viewers who shared their stories.
âI have absolutely no doubt that telling these stories spurred action,â said Phillips-Hill.
The problem? “We don’t have the assurance that the best practices are put in place, so you see what happened with this unemployment benefit system,” she said.
Part of the potential solution, according to Phillips-Hill? The legislation it is sponsoring would require the involvement of a state office of information technology (ILO) in large information technology projects like the new unemployment system.
âAnd they would set cybersecurity standards across state government,â she said. “I should believe that if something like this had been in place we might have avoided this.”
Phillips-Hill said last year’s attack on the colonial pipeline was – like the hack into the unemployment system – surprisingly unsophisticated. âIt was a leaked password that caused this whole scenario,â she said.