[BreachExchange] Michigan: Glitch caused personal data risk for up to 1.9M

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 3 16:55:27 EST 2017


http://www.detroitnews.com/story/news/local/michigan/
2017/02/03/uia-msp/97454924/

Private information stored in a state computer system for unemployment
benefits recipients was vulnerable after a software update inadvertently
allowed exposure of data for up to 1.9 million individuals, state officials
said Friday.

The Social Security numbers and names of up to as many as 1.87 million
people could have been accessed, but the exact number is being
investigated, according to the Michigan Department of Technology,
Management and Budget.

Those whose personal information may have been compromised are active
employees in Michigan whose payroll information is processed by an
unidentified 31 third-party payroll vendors, according to the state. The
information was exposed from Oct. 10 to Jan. 30, according to the state.

Everyone whose data was compromised will be notified, the agency said.

“Data security is a top priority for the state of Michigan,” said David
Behen, Department of Technology, Management and Budget director and
Michigan’s chief information officer. “We will work with our third-party
vendors and our state team to review our processes and procedures to avoid
incidents like this in the future.”

The Michigan State Police Cyber Command Center is investigating to figure
out how many people had their personal information exposed.

State officials say a 2016 software update allowed “employers and other
human resources professionals” to access the information but not people who
applied for benefits “or the general public.”

The breach was discovered Tuesday and a fix was applied the same day,
agency officials said.

The information could have included first and last names, Social Security
numbers and wage information. Other personal information was not accessed,
the state says.

The latest disclosure of problems with the system comes as the Unemployment
Insurance Agency undergoes scrutiny following a federal lawsuit settlement
over its past use of an automated computer system that made more than
20,000 false unemployment benefit fraud claims against Michigan residents
over nearly two years.

The state unemployment agency continues to review fraud determinations by
the automated system between October 2013 and August 2015. It reversed
computer-based determinations in 20,965 of 22,427 cases during an initial
review. Michigan has so far refunded claimants $5.4 million because of the
system’s mistakes.

The state says there isn’t any indication that the exposed information
could be used “for malicious purposes” and says it doesn’t appear that the
information “was accessed with malicious intent,” but was accidentally
viewed by employers who were using the system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170203/412bb0b3/attachment.html>


More information about the BreachExchange mailing list