Gov. Asa Hutchinson acknowledged today a security flaw in the new pandemic unemployment assistance website that allowed easy access to personal information.
He said 100 people were working through the weekend on the system, currently inaccessible to the public. He said it was built by state agencies and an independent contractor, Pro Tech Solutions.
He said he learned last night of the potential for a security breach. It was reported to the state by the Arkansas Times on behalf of a computer programmer who discovered the flaw in exploring the website. He said he tried to report this flaw to both Workforce Services and the State Police. When he didn’t get a response, he said he called the Times. We confirmed the flaw independently, found a state official and the website was shut down.
Hutchinson characterized the discovery this way: “An applicant illegally accessed the system.” I’m not sure how he concluded that stumbling on a page of information by deleting some letters in a URL is a crime, particularly by someone who TRIED to report the flaw.
In any case:
When the flaw was discovered the system was shut down and law enforcement was notified. He said the state had notified its cyber insurance firm and an outside expert would study the system to see whether any individual information was compromised. If that happened, people will be notified.
But he said he wanted to try to get the system working and begin issuing checks. He said he hoped that might happen next week, even though applicants can’t currently access the system. “We are looking at ways to get that money out the door,” Hutchinson said.
If there was a breach, a credit monitoring system will be provided for those affected.
The governor was asked why 37 other states had been able to begin issuing checks and Arkansas has not. He said he wasn’t familiar with that figure. He said he hadn’t done a thorough study of other states.
Hutchinson said Pro Tech had worked for the state before and was hired because of the speed and expertise a contractor can bring to doing work that the state isn’t able to do. Commerce Secretary Mike Preston wouldn’t answer the question of how much they were paid. “I’ll have to get back to you on that.” He said another private group will assess the system before it goes online.
What about the regular unemployment payment system? Preston said that wasn’t an issue, it operated separately.
The case count
Coronavirus cases rose in 24 hours by 115 (75 from the Corrections Department, a product of a growing outbreak in the Randall Williams unit in Pine Bluff) to 4,578. The governor said the positivity rate in testing over 24 hours was low. More cases are still to come from the prison unit. There are 231 cases so far and eight staff, with not all cases included in the state total yet.
Health Director Nate Smith said hospitalizations remain at 65 and the death toll stands at 98. He explained his method of calculating testing rates that sometimes differ from daily case counts. He said the testing of 2,044 from midnight to midnight produced 94 positive cases, or a 4.4 positive rate. The number of new cases announced at the briefing covers a different time period, Smith emphasized.
On other topics:
The governor acknowledged the legislature had blocked his effort to spend $850,000 from his rainy day fund to prevent furloughs at financially troubled Henderson State University. He said there’d be continuing discussions and he was fully supportive of pressing ahead for the money.
I mailed these additional questions to the governor’s press office in advance of the briefing, the background related in more detail here. I got no response in writing.
About the Legislative Council’s keel hauling Friday of his Commerce Secretary Mike Preston for running roughshod over the legislature (and screwing up royally in the process.)
How he squares Preston’s insistence that there was no leak of the Return to Business grant program when the public record shows otherwise.
The second question was asked by a reporter at the briefing. The governor said the question had been “beaten to death.” He then turned it over to Preston. He said accurately that emails had been turned over (to me) in response to FOI requests. He said accurately that he’d mentioned that he’d be giving a 3 p.m. briefing in advance of the rollout of the website at 5 p.m. April 29 to chambers of commerce and other favored “partners.” But he also said flatly, “There was no advance notice given.” He said the records his department had provided supported that.
They don’t. Here again are some of the emails in question. Read them yourself.
The AEDC documents show that Mike Preston himself notified select business people around the state of the coming announcement at 8:34 a.m. A governor’s staff member, Stephanie Beavers, notified a state Chamber of Commerce lobbyist at 9: 45 a.m. That lobbyist sent the notice to a chamber leadership group, including major lobbyists, at 9:49 a.m. Jennifer Emerson of AEDC distributed full information on the program to business people on the chamber list and AEDC counsel Jim Hudson at 1:42 p.m., less than a minute after the governor began announcing the grant program. That email included far more specific details than were given at the news conference.
In short, those in the know were prepared to pounce and pounce they did, with the first application — 16 computer pages of information including bank account numbers and other information — filed at 5:04 p.m., four minutes after the website went “live.” I’m with Rep. Robin Lundstrum, who is skeptical a form could be completed so quickly without advance knowledge.
Some people DID get advance notice of the program. That advance notice DID provide a valuable edge because the program was rolled out on a first-come-first-served basis and was oversubscribed in minutes. The money was effectively gone before thousands of people, including most of the legislature, ever knew about it.
There’s a shorter way to describe an assertion there was no advance notice when a speaker’s own email five hours earlier shows otherwise: A lie.
UPDATE: the governor sent an email response to my pre-briefing questions.
All the questions were answered fully at the just concluded news conference in which your reporter asked numerous questions.
- Computer breach questions were not answered fully.
- No answers were given about the Legislative Council’s reversal Friday of his administration on multiple parts of the Ready for Business Grant program.
- As I said already re Preston’s response on advance notice of the grant program: Not true.