HARRISBURG, Pa. (WHTM) — Pennsylvania’s Department of Labor and Industry (L&I) conceded for the first time Wednesday that hackers are diverting Pennsylvanians’ unemployment compensation checks to fraudulent accounts and that the state’s new unemployment compensation system doesn’t use a common security measure, which cybersecurity experts have called a “minimum standard,” to prevent the attacks.
The admission follows a week of reporting by abc27 News about the attacks.
L&I “has detected an escalation in fraudsters’ attempts to steal unemployment compensation benefits through increasingly aggressive and sophisticated schemes,” a department spokesman said first to abc27 News and later in a press release to all media.
“The scheme does not appear to be sophisticated at all,” said Jonathan S. Weissman, a senior lecturer in Rochester (N.Y.) Institute of Technology’s department of computing security, corroborating a view expressed to abc27 earlier in the week by another cybersecurity expert. “Cybercriminals are finding usernames and passwords – and trying them. If they work, they work.”
The problem, according to both? The system lacks multi-factor authentication, which would require someone changing banking information to physically possess — for example, although it could be something else — the rightful claimant’s mobile phone.
Get daily news, weather, breaking news and alerts straight to your inbox! Sign up for the abc27 newsletters here
“Multi-factor authentication, a two-step process that will add an extra layer of protection, will be added for claimants,” L&I’s release said Wednesday, confirming the current absence of such a process.
“L&I takes seriously its responsibility to safeguard taxpayer dollars and individuals’ personal data. We will continue these efforts aggressively and transparently,” the release quoted L&I Secretary Jennifer Berrier as saying.
Unemployment claimants who called and emailed abc27 News, following the first report, told similar stories of L&I phone reps telling them the problem was widespread and began shortly after the summertime migration to the new system. L&I previously disclosed fraudulent attempts to file new claims for unemployment — and identity-verification measures to fight those attempts — but not the hacking and diversion of funds from existing accounts.
Why the timing of Wednesday’s announcement?
“Definitely the story on TV,” said the woman who first reported the scheme. “That’s definitely not a coincidence. They were fully aware of issues long before I brought it to your station.”
She credited the reporting but also the other viewers who came forward, indicating the potential scope of the problem.
L&I hasn’t yet disclosed the full scope of the problem, in terms of the number of claimants whose money was stolen or the amount of money stolen, nor whether it can be recovered.
Both the woman who initially reported the problem and another viewer told abc27 Wednesday their issues were resolved subsequent to the first story. Others said they were still waiting.
“It’s horrible. You have to empathize” with the theft victims, said Sen. Kristin Phillips-Hill (R-York), who chairs the state senate’s communications and technology committee. “If we put just a few more procedures in place to make those accounts safer, we probably wouldn’t be having this conversation today.”
She too credited the reporting and the viewers who shared their stories.
“I have absolutely no doubt that telling those stories spurred the action,” Phillips-Hill said.
The problem? “We don’t have assurances that the best practices are being put in place, hence you see what happened with this unemployment compensation system,” she said.
Part of the potential solution, according to Phillips-Hill? Legislation she’s sponsoring that would require the involvement of a state Office of Information Technology (OIT) in big information-technology projects like the new unemployment system.
“And they would set cybersecurity standards all across state government,” she said. “I would have to believe that if something like that were in place, we may have avoided this.”
Phillips-Hill said last year’s attack on the Colonial Pipeline was — like the unemployment system hack — surprisingly unsophisticated. “It was one leaked password that caused that entire scenario,” she said.