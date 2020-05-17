Arkansas media didn’t distinguish themselves Saturday in coverage of Gov. Asa Hutchinson’s ad hoc press briefing to acknowledge a failure in the state’s pandemic unemployment assistance website reported Friday evening by the Arkansas Times.

Typical was a report in the Arkansas Democrat-Gazette headlined: “Hacker shuts down Arkansas jobless-aid site.”

The article continued:

State officials learned of the breach Friday, and law enforcement officials were notified, along with the state’s cyber-insurance carrier, Hutchinson said.

Neither the D-G nor anyone else I could find attempted to drill down to HOW the state learned of the breach. (Lindsey Millar asked at the governor’s news conference if the private contractor was at fault; Preston dodged the question.) Also, if any media other than our partners at KARK/Fox 16 noted the Times’ role in the matter I’m not aware of it.

As Lindsey Millar reported Friday evening.

A computer programmer applying for unemployment on Arkansas’s Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. Anyone with basic computer knowledge could have accessed personal information for malicious purposes. Alarmed, the computer programmer called the Arkansas Division of Workforce Services Friday morning and was told by an operator that there was no one available who could talk to him. He then tried someone at the Arkansas State Police Criminal Investigation Division, who told the programmer he would find the person he needed to talk with to fix the situation. The programmer later called the Arkansas Times for advice on whom to call. The Times alerted the Division of Workforce Services to the issue at 4:30 p.m. Soon after a message appeared on the website that said, “The site is currently under maintenance.”

Had a State Police query begun by Friday evening? Did action occur only after the Times called? I don’t know. But Hutchinson left out some critical parts of the story and the media merely regurgitated what he said and moved on.

Hutchinson chose to describe the event by saying an applicant “illegally accessed” information. By the account given to us, if the governor was referring to our source, an applicant said he discovered a flaw and reported it to two state agencies, including the State Police, then called us hoping to protect his own information. Shortly after our confirmation of the problem and our call, the website came down. Was there a hacker? Was the discovery of a gaping hole illegal access? It takes a pretty sly criminal to call the agency in charge of the website, the State Police and a news outlet.

There’s much more to be known. Commerce Secretary Mike Preston, boss of this effort, wouldn’t even reveal how much the state had paid Protech for the speed and expertise that required the state’s hiring of an outside contractor for the project.

Remember that this website has not only been distinguished by a security problem. It went online on May 5*. The applicants the first week had to redo their applications because of a still-unexplained flaw.

This is more important. No checks have yet been issued. There was Friday a “fluid” promise to legislators that checks would begin being issued next week. But that was before the discovery of the security flaw that potentially opened the door to access personal information on 30,000 people.

U.S. News reported two days ago, based on information from the National Governors Association, that 37 states were issuing checks for the pandemic unemployment assistance, which is a federally financed program for self-employed people. Hutchinson disclaimed Saturday any knowledge of that tally.

This security vulnerability presumably existed from the startup of the website. Two weeks have gone by in which the weakness could have been exploited. A state study is underway.

We talked Friday, for example, to another PUA applicant who reported repeatedly finding personal information from other applicants on his own application form. This means many people might have “accessed” private information through no effort of their own.

The system was set up to communicate with the state’s existing conventional unemployment benefits program. Preston insisted Saturday that the systems operate separately and he wasn’t concerned about security spillovers to the traditional program, which has received 170,000 applications. Is an independent party being asked to review that to be sure? Seems prudent.

Remember that the conventional website had to undergo reworking to handle the crush of applicants. It was not an easy project. Preston at one point promised website improvements would ease the issue. Did Protech work on that?

There’s much more to be known about the state’s handling of computer issues (don’t forget the Ready for Business grant website which Preston’s department put on-line prematurely).

A key question is whether the governor — and the media — will continue to shoot the messenger rather than provide full accountability.

*A previous version of this post said the PUA website went live May 1.