Kentucky unemployment website experienced April data breach

Gov. Beshear updates Kentucky’s reopening plan
Updated: May. 28, 2020 at 7:52 PM EDT
Email This Link
Share on Pinterest
Share on LinkedIn

FRANKFORT, Ky. (FOX19) - Kentucky officials reported Thursday what Gov. Andy Beshear described as a “data breach” in the state’s unemployment insurance web portal.

The so-called breach took place on April 23, according to a release from Kentucky’s Education and Workforce Development Cabinet.

EWDC says its Office of Technology Services received a report at 9:17 a.m. on that day saying some unemployment insurance claimants could potentially view the identity verification documents uploaded by others.

OTS took the unemployment insurance portal down completely at 11:30 a.m.

By noon, EWDC says, the system had been changed to ensure no one was able to view any uploaded documents. By midnight, the security team had patched the software to correct the problem permanently.

“There are no indications that the UI system was infiltrated from the outside,” Deputy Secretary Josh Benton said. “This was only a situation that could potentially be viewed by other UI claimants.”

Benton added no additional incidents have been reported and that an ongoing technology investigation has been ongoing since then to make sure the system is secure.

EWDC says it is impossible to determine how many of the documents uploaded may have been viewable at the time of the incident.

It adds the likelihood of harm is “very low” and that no reports of identity theft or financial harm have been received.

Benton says the major credit reporting agencies have been notified. Kentuckians potentially impacted will receive a letter from EWDC in the next week.

Beshear says he learned of the breach last week based on an email between EWDC and the attorney general’s office.

According to Beshear, EWDC did not believe the vulnerability qualified as a data breach under the law and therefore did not believe it was compelled to disclose it publicly. The governor believes it was a breach.

“I learned about this based on an email between the cabinet and the attorney general’s office late last week," he said. "I believe we’ve got to identify when something is a breach and we’ve got to do it correctly, and I wasn’t going to let the fact that it happened over a month ago prevent us from doing the right thing now.”

The governor continued: “I want to thank Josh (Benton) and his staff for how quickly they internally reacted to this. But I do want you to know I am not satisfied by the response.

“While there is no indication anyone has been or will be financially harmed, I do believe it took way too long to provide public notice. This was back in April.”

Beshear explained he’s asked the inspector general from the transportation cabinet to look at the breach to ensure the software is sufficiently secure.

Copyright 2020 WXIX. All rights reserved.