Colorado’s computerized unemployment system inadvertently exposed private data of an unknown number of people who had recently filed for unemployment.
The unauthorized access was blamed on a programming error made by the technology vendor. The issue was identified and blocked by the vendor within an hour of when it was noticed on Saturday. State officials said there is no evidence that the data compromise was widespread or related to a malicious hacking attempt.
But just in case, the state is offering 12 months of credit monitoring to the 72,000 people on Pandemic Unemployment Assistance, the federal unemployment benefit offered for the first time to gig workers, independent contractors and the self-employed. Users were notified on Monday.
People on state-funded unemployment were not affected.
According to Cher Haavind, the deputy executive director of the Colorado Department of Labor and Employment, this “wasn’t intentional or fraudulent, nor was it a result of hacking.”
She said that it was a technical error by the system’s vendor, Deloitte. Essentially, Deloitte, which provides similar technology to other states, mistakenly gave users privileged functions beyond the role of a regular claimant. It allowed users to search and potentially see another claimant’s “correspondence,” which could include a name and Social Security number.
The search function was enabled from May 2 to May 15, at which time Deloitte discovered the problem and blocked it from occurring again. The company told the state that according to its logs, during the two-week period only six people saw the searchable screens .
“The vendor discovered that a searchable screen was visible and that fewer than six people had temporary access,” Haavind said.
All six people have been contacted, she said.
There is no evidence that those users searched other accounts, according to the vendor’s logs.
“So far we have no evidence of any malicious activity,” Haavind said.
The state’s unemployment system was revamped to handle the new pandemic claims, which include an additional $600 per week for regular workers on unemployment, plus the new group of gig workers. More than 451,000 Coloradans have filed for unemployment compensation in the two months since the coronavirus crisis began in March.
The labor agency has warned users to be wary of potential schemes by unauthorized users trying to access someone’s unemployment benefits. There are groups online offering to help people file for unemployment for a small fee. Others ask for personal information.
“We will never call a claimant and ask them to verify personal identifying information, including checking account routing numbers and debit card verification numbers,” Haavind said during a call with reporters last week. “Second, you do not have to pay a fee to file for unemployment.”
Other states’ systems have been targeted by an international ring of impersonators that steal unemployment benefits. Washington state officials told The New York Times that they were tipped off to the fraud after some residents who still had a job began receiving unemployment paperwork confirmations.
Nothing like that has been noticed in Colorado, Haavind said.
Colorado verifies an applicant’s identity using a Experian identity verification tool that cross-checks with the Department of Motor Vehicles. The agency also shares tips about schemes that users may face when filing for unemployment benefits.
“Every state has its own set of internal controls and processes,” Haavind said. “That said, fraud schemes are becoming somewhat sophisticated. We have not yet seen any indication that any kind of those schemes have hit Colorado, but we’re so working to augment our existing fraud controls and claimant outreach on fraud prevention.”