HARRISBURG, Pa. (WHTM) — Luke Grumblatt only knew where his unemployment money wasn’t: in his own bank account, the same one he’s had his whole life.

He never could have guessed where it was: an account at SoFi, a San Francisco-based online bank.

That’s what Grumblatt, of Exeter Township near Reading, says he learned when — after multiple phone calls, to the Department of Labor and Industry (L&I) and a conversation with an auditor in the state’s Treasury Department — an L&I phone agent told him where his money was being direct-deposited and asked: “Is this your bank?”

Grumblatt says the treasury auditor, with whom he spoke previously in late December, didn’t seem to know.

“He was like, ‘Everything looks good,'” Grumblatt said. “Never mentioned anything about changed payment info. He was like, ‘Okay, we’ll release the money.’ I was like, ‘Cool, that’s awesome. Perfect.’ So now I’m waiting. Still haven’t gotten paid.”

Get daily news, weather, breaking news and alerts straight to your inbox! Sign up for the abc27 newsletters here

“Have victims been made aware of this data breach other than your reporting?” wondered State Sen. Kristin Phillips-Hill (R-York), who said she is working to expedite legislation that would require state agencies in similar situations in addition to legislation she is sponsoring that would require the involvement of a state Office of Information Technology (OIT) in big information-technology projects like the new unemployment system.

“It seems like one of those things where if this is happening, and you’re getting more than a couple of claims here and there, you’d reach out” to unemployment compensation recipients, said Grumblatt, who said he received two of the five weeks of pay he was due between when he was laid off in October and when he went back to work.

But the state hasn’t contacted recipients directly, based on conversations with numerous recipients who have contacted abc27 News. Asked Thursday whether it had contacted either victims or all unemployment recipients, L&I replied with a statement: “L&I is always actively looking at measures to enhance the security of the UC system and implementing changes where necessary. The investigation is ongoing and we cannot comment any further.”

Also citing the investigation, the department has previously declined to say how much money has been stolen, whether the money can be recovered, how many claimants are affected, and when they can expect to recover their money. It also hasn’t said whether it has now managed to stop the thefts or if they continue.

Grumblatt said he was frustrated to realize many people were struggling independently to come to the same conclusion.

“For this to happen, there’d have to be like a huge glaring hole in login info,” he said of his initial thought when we learned his account had been breached before he realized the likely scale of the breach. “And then I realized no, this is happening to multiple people, so there is a huge hole in their login info. like there is some kind of like data breach that they don’t want to admit to.”

The state admitted the system had been breached a week after abc27’s initial report about the apparent breach and months after several unemployment recipients say L&I agents told them “thousands” of people were experiencing similar issues.

Cybersecurity experts have criticized L&I for not requiring multi-factor authentication, or MFA, which one expert called a “minimum standard,” in order to siphon unemployment checks into a different bank account. MFA could include sending a code to a recipient’s cell phone and requiring the recipient to enter that code in the unemployment portal in order to proceed.

The idea: Anything requiring only knowledge — not just usernames and passwords but answers to security questions too — is easily stolen online, whereas requiring a second “factor,” such as physical possession of an item like a cell phone, greatly reduces the opportunity for fraud.