[BreachExchange] Social Security numbers exposed in Ohio’s new unemployment system

Destry Winant destry at riskbasedsecurity.com
Thu May 21 10:20:22 EDT 2020


https://www.dispatch.com/news/20200520/social-security-numbers-exposed-in-ohiorsquos-new-unemployment-system/1

The Social Security numbers of individuals who filed for federal
supplemental unemployment compensation through a new state system were
exposed late last week.

Deloitte Consulting notified the Ohio Department of Job and Family
Services over the weekend that about two-dozen individuals could see
correspondence for others filing claims in the Pandemic Unemployment
Assistance system.

In an email to those affected, the company wrote that it discovered on
Friday that claimants names, Social Security numbers and street
addresses were accessible to those individuals.

It was not immediately clear how many people were affected by the
breach, and the Ohio Department of Job and Family Services wrote in a
press release that “there is no evidence of any widespread data
compromise.”

The problem was resolved within an hour, and the state contacted those
who had unauthorized access, according to the release. The company is
providing credit monitoring to those affected for 12 months.

The state deferred comment to Deloitte. A Deloitte spokesman said the
company is not releasing the number of claimants whose information was
exposed.

“We are deeply committed to protecting the personal information of our
clients and the people they serve. The system was not breached. A
unique circumstance enabled about two dozen Pandemic Unemployment
Assistance claimants to inadvertently access a restricted page when
logged into the state’s PUA website. Within an hour of learning of
this issue, we identified the cause and stopped the unauthorized
access to prevent additional occurrences,” the company said in a
prepared statement.

The state of Ohio contracted with Deloitte to quickly provide the
system to supplement one that already exists to process state claims.
It was needed to help distribute $600 a week in unemployment
compensation earmarked by Congress to individuals who lost their jobs
but were not eligible for state payments, such as contractors and the
self-employed.

Ohio’s system has been overwhelmed with claims as the state shut down
to slow the spread of COVID-19, with more than 1 million claims filed
since mid-March.

Deloitte and the state signed their contract in mid-April, and the
system was operational as of last week.


More information about the BreachExchange mailing list