At least four states are warning residents who have applied online for unemployment benefits because of the coronavirus that their personal information may have been leaked.
The breaches stem from two incidents in which states hired contractors to quickly implement the Pandemic Unemployment Assistance program, or PUA, a version of unemployment insurance for Americans who don't qualify for conventional unemployment benefits but are otherwise unable to work because of the pandemic.
Together, they highlight how the states have exposed tens of thousands of their own residents to potential identity theft in their rush to set up websites to provide emergency benefits during the pandemic.
The first incident stems from Arkansas, which launched its PUA website May 5. A week and a half later, it was forced to temporarily take the website down and alert 33,000 initial applicants that they had been exposed to a "data security incident," said Alisha Curtis, a spokesperson for the state Commerce Department.
According to The Arkansas Times, the state took those steps only after a programmer trying to file for unemployment noticed a vulnerability that exposed the Social Security numbers and banking information of people who had applied for the program.
A contract acquired by KATV-TV of Little Rock showed that the state had paid a local company, Protech Solutions, $3 million to create its PUA website in a span of three weeks. Protech didn't respond to a request for comment.
"It isn't necessarily that unemployment systems are particularly vulnerable to data breaches," said Tarah Wheeler, a cybersecurity policy fellow at New America, a think tank based in Washington. "It's that almost every kind of governmental data system, which is locally implemented on a shoestring budget, begun by a contractor who bid the lowest and abandoned by the former and following administrations, is likely to be just as bad."
The second incident stems from one vendor. Colorado, Illinois and Ohio all hired the international consulting company Deloitte to build their PUA websites, each of which launched last week. The states have since alerted residents of a potential data leak.
According to a video that Illinois state Rep. Terri Bryant posted to Facebook, a constituent who tried to register for PUA benefits stumbled across "multiple peoples' names, full Social Security numbers, addresses," physical addresses and correspondence with the state Employment Security Department.
Deloitte did not respond to a request for comment.
The states said Deloitte told each of them about a bug that gave some claimants access to others' personal information and said it fixed the issue within an hour. The company told Ohio that about two dozen of its residents were given such access, and it told Colorado that about six were, according to representatives of the states' labor departments.
CORRECTION (May 22, 2020, 7:31 p.m. ET): An earlier version of this article misspelled the first name of a policy fellow for the think tank New America. She is Tarah Wheeler, not Tara.