Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

Kentucky Unemployment Insurance Site Shuttered After Attack

State Resets 300,000 PINs to Block Fraudsters
Kentucky Unemployment Insurance Site Shuttered After Attack

The Kentucky Office of Unemployment Insurance shut down its account operations for four days - starting 12:01 a.m. Friday - while it battles a cyberattack that has forced it to reset more than 300,000 PINs to stop fraudsters from gaining access to accounts and diverting benefit payments.

See Also: Understanding Human Behavior to Tackle ATO & Fraud

All the Office of Unemployment Insurance websites and portals dealing with unemployment accounts were taken offline as state IT workers attempted to bolster systems' cybersecurity capabilities, officials say.

The operations are slated to go back online at 12 a.m. April 13. Until then, state residents will be unable to file new claims or request benefits, but the Office of Unemployment Insurance says it will backdate any new claims.

Attackers' Tactics

"Suspect criminal individuals or enterprises have attempted to gain unauthorized access to UI customer data," the office says in a statement. "Using known or predictable user information, like Social Security numbers, bad actors used automated tools to attempt to gain unauthorized access to claimant accounts. Although … PINs are encrypted, it is possible for a person with enough computing power to guess an encrypted PIN by testing particularly weak or obvious four digit combinations."

Amy Cubbage, the Kentucky governor's general counsel who is overseeing the state's Office of Unemployment Insurance, said at a Friday press conference that many claimants chose simple passwords - with 4,000 accounts using "1-2-3-4" and 1,500 using "2020" - so they were easy for attackers to detect.

Cubbage said that, in some cases, attackers reset claimants' bank account information, directing unemployment benefits to an unauthorized account.

What Systems Are Vulnerable?

The Kentucky officials' statement leaves several questions unanswered about what systems were attacked, says Mike Hamilton, the former CISO for the city of Seattle and now CISO at CI Security.

"Was this a website, or was it IVR [interactive voice response]? Was the system capable of user lockout after three to five failures? Was there any technical control over the PIN itself, for example a prohibition on ‘0000’? What were the geographic source(s) of the attempts?" he asks.

Changes Initiated

Several new protocols designed to improve account security will be in place when the system reopens on April 13, Kentucky officials say.

Claimants will have to reregister, create a 12-digit password and verify their email address. They will then receive a two-factor authentication code number via email, allowing them to regain access to their account, according to the state.

The claimants will then have to use new eight-digit PINs to access their accounts, the state says.

Past Problems

The Kentucky unemployment system was under scrutiny by state officials for several months, according to the Courier-Journal newspaper. In February, some residents did not receive their direct deposit unemployment benefits, while others reported that their account's bank information had been altered.

As a temporary fix for this issue, the state disabled claimants' ability to change their bank account information, the newspaper reported.

Washington State Incident

In another state unemployment benefits incident, in February the state of Washington reported a data breach that took place in December 2020 and exposed 1.4 million unemployment claimants’ records.

That incident apparently stemmed from attackers exploiting a flaw in Accellion's File Transfer Appliance (see: Washington State Breach Tied to Accellion Vulnerability).


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.