[BreachExchange] PFD application remains offline while state gets to the bottom of data breach

Destry Winant destry at riskbasedsecurity.com
Wed Jan 2 22:33:21 EST 2019


https://www.adn.com/alaska-news/2019/01/03/pfd-application-remains-offline-while-state-gets-to-the-bottom-of-data-breach/

This year’s online application for Permanent Fund dividends remained
offline Wednesday for the second day in a row amid a potential
security breach that some applicants have said allowed them to access
other people’s personal information.

The Alaska Department of Revenue, which oversees the Permanent Fund
Dividend Division, confirmed in a statement Tuesday that it had
received complaints from users who had inadvertently seen private
information belonging to other applicants who had already filed for
the dividend.

As of Wednesday afternoon, the department had confirmed only one case
of user information being shared, although dozens of people have
complained on social media. Many have said that when they tried to
apply, the form auto-populated with someone else’s personal data,
which included birth dates, contact information, bank account
information and Social Security numbers. The application was taken
offline Tuesday morning, shortly after it opened at 9 a.m.

“We will be doing a very deep dive into why this occurred,” said
Department of Revenue Commissioner Bruce Tangeman.

The application is expected to be back online within the next few
days, Tangeman said. In the meantime, the Department of
Administration, which manages the state’s information systems, is
working to address the issue and investigate what went wrong, he said.
Officials with the Department of Administration did not respond to
multiple calls on Wednesday.

Anne Weske, director of the Permanent Fund Dividend Division, said the
state will email those who were logged into the application during
that window to notify them their data may have been compromised. At
this time, the state hasn’t made any plans to offer fraud or credit
monitoring to those who may have been affected, she said.

Weske said the application was online for about 30 minutes before it
was taken down, though many applicants said they were unable to access
the application when it opened at 9 a.m. — instead seeing an error
message saying the application website was down for “unexpected
maintenance.”

The state has not confirmed how many people’s information may have
been compromised, but about 100 people had filed when the application
was taken offline, according to the division’s real-time application
counter.

Royce Williams, a cybersecurity advocate based in Anchorage, said
online forms can be complex, and there are multiple places on both the
front end and back end where the application could have gone awry.
This year’s form includes a new feature that is supposed to allow
applicants to pull information from previous applications, and
Williams said it’s possible that’s where the breakdown may have
occurred.

“The work to do that could have unexpected side effects,” he said.

Based on how specific the breach was, Williams said he believes it’s
unlikely that the system was hacked. In the meantime, though, he
recommends that those who may have been affected consider having their
credit frozen to prevent identity thieves from opening new accounts in
their names.

PFD applicants can use myAlaska, an authentication system that allows
users to access multiple state services, to submit their signatures
electronically. The system manages applications for state student aid,
public medical assistance and background checks, among many others.
The myAlaska website says user information is stored in a secure
directory that “has been tested by qualified security consultants and
is monitored 24-hours a day.”

The website goes on to say, “No myAlaska participant will have any
access to another person’s records. The authentication system will
maintain audit logs adequate to verify that administrators and
privileged applications are not using the system inappropriately."

Weske said there have been no reports of other systems that use
myAlaska having similar issues.

Tangeman said applicants can still pick up a paper application at the
Permanent Fund Dividend Division’s office on F Street in downtown
Anchorage. Paper applications can be either mailed or dropped off in
person at the PFD Division office, he said.


More information about the BreachExchange mailing list