[BreachExchange] Second Data Breach at Kentucky Unemployment System

[Destry Winant]

https://www.infosecurity-magazine.com/news/second-data-breach-at-kentucky/

Kentucky's unemployment system appears to have suffered its second
data breach in four months after a claimant reported being able to
view another claimant's personal data.

The reporter of the alleged breach logged on to the Office of
Unemployment Insurance's (OUI) online system on July 27 to work on
their unemployment application. While trying to enter their own
details, the claimant was able to view information about another
claimant's former employer and health.

A statement released on July 29 by the Labor Cabinet said that the
reporter of the alleged breach was not shown the other claimant's
name, Social Security number, or other personally identifying
information.

The statement read: "On July 27, 2020, at approximately 4 p.m., the
Office of Unemployment Insurance ("OUI") learned that a claimant
(Claimant A) had seen information pertaining to another individual
(Claimant B) while Claimant A was navigating his own unemployment
application in the OUI online system. Specifically, as he was
navigating his application, Claimant A saw information about Claimant
B's former employer, as well as information pertaining to Claimant B's
health."

The cabinet said that OUI was "reporting this potential breach out of
an abundance of caution" while the allegations are investigated by the
Office of Technology Services.

On July 28, the fired former director of Kentucky’s unemployment
office told a panel of lawmakers that officials at the Education and
Workforce Development Cabinet took no action for a day following
reports that claimants had been able to log in to the OUI system and
see other people's sensitive information.

Muncie McNamara was hired to run the unemployment office in December
but lost his job in May after months of reported backlogs in the
system. McNamara said an email he sent to the IT department on April
22 about a possible breach received no response.

J.T. Henderson, a spokesman at the Cabinet for Education and Workforce
Development, said the only “verifiable” claims of a data breach were
received on April 23.

Following the April data breach, 53,029 Kentuckians who filed
unemployment claims between March 1 and April 23 were notified that
their data may have been exposed.

Kentucky's current unemployment rate is 4.3%, with nearly 83,000
Kentuckians registered as unemployed in June 2020.