Unemployment fraud in one state and a breach while investigating unemployment fraud in another state

Unemployment fraud is a rampant problem these days. Even investigating it can increase the risk of fraud, it seems.

Betty Lin-Fisher reports that hundreds of thousands of Ohioans have become victims, and they generally are first finding out because the Ohio Department of Job and Family Services (ODJFS) started sending out 1099 tax statements showing residents what they supposedly received in benefits.

Ohio is not the only state where people are shocked to discover their information has been misused for unemployment fraud. Lin-Fisher explains that criminal rings took advantage of expanded federal unemployment benefits (known as the Pandemic Unemployment Assistance or PUA program) during the COVID-19 pandemic

without the normal confirmation processes in place. The PUA program allowed for people who normally don’t qualify for unemployment benefits, like self-employed workers, to claim unemployment, in addition to people in the traditional unemployment program.

The difference, Betti said, is the Department of Labor urged states to let PUA recipients “self-certify both their eligibility and their earnings history. This allowed payments to be issued quickly, but, unfortunately, it also opened a door for criminal activity.”

In that eternal tradeoff between convenience/speed and security, security took a bruising.

Over in Washington state, things are even more face-palm inducing. Gene Johnson of the AP reports that more than 1 million people may have been impacted by a breach involving a state vendor that occurred when the state tried to investigate massive unemployment fraud:

The breach involved a third-party software vendor, Accellion, which the state Auditor’s Office uses to transmit files.

…  Also potentially affected was personal information held by the Department of Children, Youth and Families, and non-personal financial and other data from about 100 local governments and 25 other state agencies.

In a statement Monday, Palo Alto, California-based Accellion called the attack “highly sophisticated” and said it targeted the company’s legacy secure file-transmitting software, a 20-year-old product called FTA. The Auditor’s Office said it had nearly completed transitioning from that product to the company’s new one at the end of the year when the breach occurred; since Dec. 31, the auditor’s office has been on the new system.

Criminals are nimble and pivoted quickly to unemployment fraud in 2020. And we are first finding out how very successful they were.

Related: About the Accellion data security breach

About the author: Dissent

Comments are closed.