Second Data Breach at Kentucky Unemployment System

Kentucky's unemployment system appears to have suffered its second data breach in four months after a claimant reported being able to view another claimant's personal data.

The reporter of the alleged breach logged on to the Office of Unemployment Insurance's (OUI) online system on July 27 to work on their unemployment application. While trying to enter their own details, the claimant was able to view information about another claimant's former employer and health. 

A statement released on July 29 by the Labor Cabinet said that the reporter of the alleged breach was not shown the other claimant's name, Social Security number, or other personally identifying information.

The statement read: "On July 27, 2020, at approximately 4 p.m., the Office of Unemployment Insurance ("OUI") learned that a claimant (Claimant A) had seen information pertaining to another individual (Claimant B) while Claimant A was navigating his own unemployment application in the OUI online system. Specifically, as he was navigating his application, Claimant A saw information about Claimant B's former employer, as well as information pertaining to Claimant B's health." 

The cabinet said that OUI was "reporting this potential breach out of an abundance of caution" while the allegations are investigated by the Office of Technology Services.

On July 28, the fired former director of Kentucky’s unemployment office told a panel of lawmakers that officials at the Education and Workforce Development Cabinet took no action for a day following reports that claimants had been able to log in to the OUI system and see other people's sensitive information.

Muncie McNamara was hired to run the unemployment office in December but lost his job in May after months of reported backlogs in the system. McNamara said an email he sent to the IT department on April 22 about a possible breach received no response.

J.T. Henderson, a spokesman at the Cabinet for Education and Workforce Development, said the only “verifiable” claims of a data breach were received on April 23.

Following the April data breach, 53,029 Kentuckians who filed unemployment claims between March 1 and April 23 were notified that their data may have been exposed.

Kentucky's current unemployment rate is 4.3%, with nearly 83,000 Kentuckians registered as unemployed in June 2020.

What’s Hot on Infosecurity Magazine?