Pa. unemployment hack: State bought system with multi-factor authentication but didn’t turn it on

Pennsylvania

HARRISBURG, Pa. (WHTM) — Why would Pennsylvania’s Department of Labor and Industry (L&I) spend $35 million on a new unemployment system that doesn’t have multi-factor authentication (MFA) — a security measure considered a “minimum standard” by cybersecurity experts?

The answer: It didn’t buy such a system. It bought a system that had the option but chose not to turn it on, according to a spokesperson for the company.

“Geographic Solutions provides an MFA option that they could opt to use, or they could use another source.  The state has to authorize them to turn it on.  It is on in other states such as [Louisiana and Nebraska],” she said.

By “another source,” she meant another supplier or internal resources. L&I said previously it implemented a system called ID.me to verify the identities of all new unemployment applicants but admitted it doesn’t have multi-factor authentication in place to prevent hackers from changing the direct-deposit banking information of existing unemployment compensation recipients. It said Wednesday MFA “will be added for claimants.”

Get daily news, weather, and breaking news alerts straight to your inbox! Sign up for the abc27 newsletters here

Following Friday’s revelation that L&I previously declined the MFA option offered by its supplier, abc27 asked L&I why it declined the option. The department’s reply:

“MFA cannot be simply turned on with a system as large as UC which has hundreds of thousands of claimants. Implementing MFA will take time to test to ensure it works correctly and so legitimate claimants continue to get their benefits. We have started that process and are working as quickly as possible.

It is important to note the new system launched in June 2021, and has enhanced security and ID.me to verify the identifies of claimants which allowed L&I to combat the type of unprecedented fraud that had plagued UC systems nationwide since the start of the pandemic. The current fraud has evolved into a more sophisticated scheme, which is why we are alerting the public and our security is evolving.”

Pa. Department of Labor and Industry Statement

abc27 News has again asked why L&I declined the option when it implemented the system.

L&I declined to tell abc27 News — for now, at least — how many Pennsylvanians had their unemployment benefits stolen, how much money was stolen or whether any of it can be recovered.

“We are committed to continued transparency in this endeavor, but we cannot risk premature transparency of our investigation that would potentially incentivize the criminal actors,” a department spokesperson wrote in response to those questions. “We are actively investigating to determine the scope and impact and will provide more information to the public when this investigation has concluded.”

Copyright 2022 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Trending Stories

Don't Miss