Gov. Asa Hutchinson was reluctant to acknowledge today that the state learned of a security problem on the pandemic unemployment assistance website through a tipster’s report to the Arkansas Times. And he wasn’t ready to credit the tipster for doing the state a favor, saying he’d let the FBI decide.
Meanwhile, the pandemic unemployment assistance website remains under forensic review and the governor didn’t supply a specific date on when payments might be coming to the 30,000 self-employed who’ve applied for it. It’s a federal benefit being distributed already in 37 states.
At the outset, the governor was asked about calling the tipster’s behavior criminal when, as the Arkansas Times reported, the tipster tried unsuccessfully to notify at least two state agencies before alerting the Arkansas Times. A reporter suggested our account of what the tipster did and the governor’s appeared in conflict.
“I don’t know that’s in conflict,” Hutchinson said.
Hutchinson was also asked how he learned of the issue.
“All I can speak for is myself and how I knew about it and that came through my office that notified me of this. Then we started action. At the time I was notified the website had already been taken down because of the breach.”
He said the FBI was investigating and “my information is that the data was exploited.” He was pressed to explain what he meant by exploited. For one, he said the state did not believe data was manipulated.
“When you say exploited, that is a technical term of art of seeing somebody else’s data,” the governor. Under questioning, he conceded all the term means is that someone might have seen information about others, not that it had been downloaded, shared or otherwise used.
Hutchinson was asked about the Democratic Party’s call for an investigation of the website failure and insider favoritism in the initial beginning of the Ready for Business grant program.
“I think it’s a shame that anybody would try to use the pandemic for partisan benefit and partisan attacks,” Hutchinson said. “That’s unnecessary and uncalled for.” He added that bipartisan legislators already raised questions Friday in the Legislative Council and “expressed themselves.” He didn’t mention that the questioning was critical and was led by Republicans, at least some of whom continue to have questions about handling of the program. The questioning also occurred before news of the website problems. It’s being designed by Protech Solutions under a $3 million contract with the state.
He was pressed on whether there should be concerns about the design of the website and how well the vendor had performed the job, rather than just the person who accessed it. He said it was a concern and that’s why a third-party was reviewing the system. Should blame be placed on the designers or the computer programmer who discovered the issue? “I’ll wait and get a report from experts as to exactly how that should be interpreted.”
Arkansas Times editor Lindsey Millar recounted how the state had learned about the computer breach by a phone call from the Times Friday afternoon. He asked the governor why the person who reported the problem was being depicted in a negative light rather than as someone trying to help the state and protect sensitive information.
Hutchinson said a data breach required a report to the state’s insurance carrier and other steps. “One of those steps is we do report it to law enforcement so they can put it in the context of any other cyber attacks that might be taking place. They recognized this as something that should be investigated further. As to specific laws that are violated, I think I would leave it to law enforcement professionals to answer that question.”
But he continued, “Certainly when you go in and manipulate a system to gain access to something you don’t have permission to access it is a violation of security we want to have in place.”
But the data was so poorly protected, one applicant said information from other people turned up on his application form. A similar problem has developed in Illinois. No sophisticated computer knowledge was required there or here to easily view personal information. A simple change of the website address could take a viewer to the administration portion of the website where the financial data wasn’t protected.
Hutchinson insisted the question was did the programmer who tipped the Times merely “see” or “find” something. “We’ll let the investigation speak for itself on those points,” he said
In response to another question, Hutchinson said he was aware of no connection between the security breach and the necessity of people who’d filed applications to the website in the early days of May to refile their information. There is this, however: Two cases of website failures in about a week.
Hutchinson also announced today that bars associated with restaurants can be open Tuesday under the same guidelines that govern restaurants.
Free-standing bars may open Tuesday, May 26, the additional time to prepare for safety rules that guide restaurants. With that, the governor said every type of business in the state would have the ability to open, though with safety restrictions.
Daily coronavirus count
The number of cases in the state rose from 4,578 Saturday to 4,759 Sunday (with 131 of 181 new cases from a state prison) and then by 54 more since Sunday to 4,813 at midday today. Hospitalizations have risen by 12 to 77. Deaths increased by two to 100. 2,329 tests were completed in 24 hours with what Hutchinson said was a positive rate of about 2.5 percent.
The governor held his briefing today in Forrest City. He met with a variety of local officials about the outbreak of coronavirus cases there, including hundreds at the federal prison there. He said 550 tests were performed Saturday, the most extensive in a single community since the virus response began. Of 290 tests completed, 24 were positive. “I consider that good numbers,” Hutchinson said. Mayor Cedric Williams spoke briefly.