Kentucky Unemployment Insurance Site Shuttered After AttackState Resets 300,000 PINs to Block Fraudsters
The Kentucky Office of Unemployment Insurance shut down its account operations for four days - starting 12:01 a.m. Friday - while it battles a cyberattack that has forced it to reset more than 300,000 PINs to stop fraudsters from gaining access to accounts and diverting benefit payments.
All the Office of Unemployment Insurance websites and portals dealing with unemployment accounts were taken offline as state IT workers attempted to bolster systems' cybersecurity capabilities, officials say.
The operations are slated to go back online at 12 a.m. April 13. Until then, state residents will be unable to file new claims or request benefits, but the Office of Unemployment Insurance says it will backdate any new claims.
"Suspect criminal individuals or enterprises have attempted to gain unauthorized access to UI customer data," the office says in a statement. "Using known or predictable user information, like Social Security numbers, bad actors used automated tools to attempt to gain unauthorized access to claimant accounts. Although … PINs are encrypted, it is possible for a person with enough computing power to guess an encrypted PIN by testing particularly weak or obvious four digit combinations."
Amy Cubbage, the Kentucky governor's general counsel who is overseeing the state's Office of Unemployment Insurance, said at a Friday press conference that many claimants chose simple passwords - with 4,000 accounts using "1-2-3-4" and 1,500 using "2020" - so they were easy for attackers to detect.
Cubbage said that, in some cases, attackers reset claimants' bank account information, directing unemployment benefits to an unauthorized account.
What Systems Are Vulnerable?
The Kentucky officials' statement leaves several questions unanswered about what systems were attacked, says Mike Hamilton, the former CISO for the city of Seattle and now CISO at CI Security.
"Was this a website, or was it IVR [interactive voice response]? Was the system capable of user lockout after three to five failures? Was there any technical control over the PIN itself, for example a prohibition on ‘0000’? What were the geographic source(s) of the attempts?" he asks.
Several new protocols designed to improve account security will be in place when the system reopens on April 13, Kentucky officials say.
Claimants will have to reregister, create a 12-digit password and verify their email address. They will then receive a two-factor authentication code number via email, allowing them to regain access to their account, according to the state.
The claimants will then have to use new eight-digit PINs to access their accounts, the state says.
The Kentucky unemployment system was under scrutiny by state officials for several months, according to the Courier-Journal newspaper. In February, some residents did not receive their direct deposit unemployment benefits, while others reported that their account's bank information had been altered.
As a temporary fix for this issue, the state disabled claimants' ability to change their bank account information, the newspaper reported.
Washington State Incident
In another state unemployment benefits incident, in February the state of Washington reported a data breach that took place in December 2020 and exposed 1.4 million unemployment claimants’ records.
That incident apparently stemmed from attackers exploiting a flaw in Accellion's File Transfer Appliance (see: Washington State Breach Tied to Accellion Vulnerability).