A computer programmer applying for unemployment on Arkansas’s Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. Anyone with basic computer knowledge could have accessed personal information for malicious purposes.
Alarmed, the computer programmer called the Arkansas Division of Workforce Services Friday morning and was told by an operator that there was no one available who could talk to him. He then tried someone at the Arkansas State Police Criminal Investigation Division, who told the programmer he would find the person he needed to talk with to fix the situation. The programmer later called the Arkansas Times for advice on whom to call. The Times alerted the Division of Workforce Services to the issue at 4:30 p.m. Soon after a message appeared on the website that said, “The site is currently under maintenance.”
“We take the security and privacy of our applicant’s data very seriously,” Zoë Calkins, communications director for the Division of Workforce Services, said in an email. “As soon as we learned of this incident, we immediately took our systems offline to deny outside access to the network. We have engaged independent computer forensic experts to conduct an investigation and determine how this occurred and what, if any, data is at risk. We are committed to completing a full forensic review and will take all appropriate action in response to our findings.”
The state’s rollout of Pandemic Unemployment Assistance, a new federal aid program for self-employed or contract workers whose earnings have been affected by COVID-19, has been marked by blunder and delay. The state launched the PUA application portal May 5*, weeks later than many other states. It’s now one of only 13 states that have yet to pay out benefits to applicants. Some 5,700 applicants who signed up during what the state called a “test period” were forced to resubmit information after a system error caused their supporting documentation to be deleted.
In exploring the website, the computer programmer determined that by simply removing part of the site’s URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page’s source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants’ raw data, included Social Security numbers and banking information.
In about two minutes, the computer programmer described the vulnerability to another programmer the Arkansas Times engaged, who then used the information to easily enter the system. To access the sensitive information, the second programmer only needed to create an account, not actually apply for assistance.
Another person who applied for Pandemic Unemployment Assistance told the Times on Friday that when he applied for assistance, submitted his documentation and reached a “review” page, he saw the documentation for another applicant. He said it took three days for the state to remove the other applicant’s information. Then he said documentation for yet another applicant appeared. “It took two days and repeated phone calls to get the second name off,” he said. “Then the next day was when they erased it all and told us we had to reapply.”
The applicant asked that he remain anonymous for fear that his application wouldn’t be approved.
The computer programmer said he thought he could have programmed a script that would gather all of the information from the API in under an hour. He did not.
“It’s a really big issue, my Social Security number is in there,” he said. “It’s unfortunate. I’m trying to get assistance and might get hacked.”
An official with the Division of Workforce Services told a legislative panel today that the state would begin to issue checks to successful applicants to the PUA program next week.
*A previous version of this post incorrectly reported that the PUA portal launched April 16.