The Arkansas Pandemic Unemployment Assistance website went back online Wednesday. It had been down since Friday, May 15, after the Arkansas Times reported a security vulnerability to the state Division of Workforce Services. The Times learned from a computer programmer, himself an applicant, that Social Security numbers, bank account and routing numbers and other personal information were easily accessible on the site.
The Division of Workforce Services also announced Wednesday that it expected to begin processing claims by the end of the week. Applicants logging into the newly reopened website are now required to change their password to access their account, an applicant told the Times.
Earlier Wednesday, the Arkansas Department of Commerce, the agency that includes Workforce Services, declined to answer any PUA-related questions from the Arkansas Times, citing the FBI investigation into the “data security incident.” Governor Hutchinson announced the FBI’s involvement Monday, May 18. “We believe law enforcement should perform their investigations uninterrupted or unencumbered by the Department,” Alisha Curtis, chief communications and legislative director for the Arkansas Department of Commerce, said in an email. “Due to this investigation, we are limited in the information we can share at this time.”
The Times’ unanswered questions included one on a timeline for making payments to applicants and others related to the division of labor between the state and ProTech, the private firm that was contracted to build the PUA website.
On Saturday, May 16, Hutchinson said forensic experts were analyzing the site and hoped to have that work completed in 24 hours. On May 18, Hutchinson told a member of the press at a COVID-19 update in Forrest City that the investigation had found that information had been “exploited.” In response to further questioning, he said, “We don’t believe that the data was manipulated. In other words, where someone would go in and change a bank account number, which is what criminals would do. When you say ‘exploited,’ I believe that is a technical term of art that includes visual seeing of someone else’s data. That is a concern to us and that is what constitutes a breach.”
Hutchinson has suggested that the programmer, who tried to notify at least two state agencies of the site’s deficiencies after he discovered them, might have committed a crime. Cybersecurity experts have criticized the governor for “shooting the messenger” and setting bad precedent that could prevent other people from coming forward when they identify web vulnerabilities.
Holly Dickson, interim director and legal director of the ACLU of Arkansas, also criticized the governor. “There is nothing unlawful or inappropriate about trying to blow the whistle on the state’s failure to protect personal data,” she said in a statement to the Times. “It is deeply concerning that state officials are trying to deflect the blame for mishandling people’s personal information by smearing a good Samaritan who identified these vulnerabilities and alerted the proper authorities. Any retaliation against this individual would raise serious legal and constitutional concerns.”
FBI Little Rock spokesman Connor Hagan said he could not discuss specific details related to the ongoing investigation. He said the FBI urges “the public to report any suspicious cyber activity to the FBI at www.ic3.gov. We’d also like to remind Arkansans to immediately report any cyber vulnerabilities they encounter online to law enforcement and then take no further action.”
The state Division of Workforce Services has engaged Tracepoint, a digital forensics and incident response company, to investigate the incident. A statement of work, obtained through a Freedom of Information Act request, estimates the investigation will take 55-95 hours and cost $20,625-$35,625. It was signed by a Division of Workforce official May 17.
The state’s primary cyber insurance policy covers liability up to $10 million with a $250,000 retention, which works similarly to a deductible in self-insurance. The annual premium is $296,359. The state also has an excess policy and a syndicate reinsurance policy.
Christopher Wright, an information security professional with Sullivan Wright Technology Partners in Little Rock, said investigators should know quickly if there was a major data breach. “If there’s something glaringly obvious, it would stick out very quickly to people who knew what to look for. You might be able to identify a very loud attack within 24 hours. But if just a few peoples’ information was compromised, rather than the whole backend database being dumped, that would be a lot harder to look at. That would be a needle in a haystack kind of thing.”
To investigate the potential breach, experts will examine the PUA application and server log files. Tracepoint lists log analysis as phase 2 of its work plan.
“The logs are all there as long as [the state and ProTech] didn’t royally screw it up,” security expert Andrew Morris, founder of GreyNoise in Washington, D.C., said. “As long as they’re just not logging or destroying logs, there should be multiple levels [to examine] — application-level logging and server logs, which at the very least will have source IP address, what was requested and whether it was allowed.”
Wright said the investigation could involve scanning thousands or even millions of lines of code. “Every time you hit enter on a web browser to go to a website, that could be 10 or 20 different lines in a log file. Even the best security monitoring functionality is not going to have that kind of ‘push button, get answer’ kind of thing. You’re still going to have to do that very rigorous forensic analysis of the log.”
Security experts said it was difficult to know the precise problems that allowed a computer programmer to see personal information of other applicants, but based on the Times reporting, they pointed to deficiencies in authentication and protecting sensitive data with encryption. The website of the OWASP Foundation, an organization that works to improve the security of software, keeps up an annual top 10 list of the most common web application security risks. No. 2 is “broken authentication” and No. 3 is “sensitive data exposure.”
The state or ProTech should have at least done “some very basic application security testing,” Morris said. “From an engineering perspective, you don’t want to have data like this unencrypted. At a very base level, they should have identified critical data and made sure that data was protected, so even if application-level vulnerabilities happen the data is encrypted and useless.”
Wright said, “Typically you do fairly vigorous testing. That’s best practice. But there’s not really anyone on this planet who does security very well. I’m assuming they said, ‘Hey we’ve got to get this out the door,’ so they shortened some of those development cycles. Then it becomes more of, ‘How do you fix those along the way?’ It’s sad to say from a security practitioner standpoint, but a lot of times it’s a ‘we’ll fix the engine while we’re driving down the highway’ kind of thing.”
Philip Huff, an assistant professor in UA Little Rock’s Department of Computer Science with 15 years of private-sector cybersecurity experience, said most software is vulnerable. “It’s like a diamond field, like in Murfreesboro. You just keep scrubbing, you’re going to find something. Code is too complex to fully prevent them.”
The state has filed 23 cyber liability insurance claims since November 2018. Thirteen of the claims remain open. Unauthorized access is listed as the cause of seven of the claims, including the PUA website incident.