Arkansas Division of Workforce Services shut down portal after programmer discovers it put applicants’ data at risk
A state program that was created to process unemployment applications in Arkansas for self-employed individuals or gig economy workers appears to have been illegally accessed and has been shut down, officials announced Saturday.
Gov. Asa Hutchinson said he learned Friday evening that an applicant for the program is believed to have somehow accessed the system, prompting an investigation of a possible data breach.
Read more on KATV.
But the breach appears to be more of a leak/vulnerability that exposed the data of 30,000 applicants. Were the data scraped or dumped any where, though, or were these people just at risk and some expert noticed it and alerted them? There’s a lot that’s confusing in much of the reporting including Fox13’s headline blaring that “Hackers leak over 20,000 unemployment applicants bank information.” What hackers? Where? Lindsey Millar’s reporting on Arkansas Times provides helpful details as to the vulnerability that was discovered:
In exploring the website, the computer programmer determined that by simply removing part of the site’s URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page’s source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants’ raw data, included Social Security numbers and banking information.
In about two minutes, the computer programmer described the vulnerability to another programmer the Arkansas Times engaged, who then used the information to easily enter the system. To access the sensitive information, the second programmer only needed to create an account, not actually apply for assistance.