Whistleblower Says ‘Thousands’ Affected By State’s Unemployment Data Security Lapse
A small-business owner from southern Illinois said she stumbled upon an “insane” data-security problem with the state’s new unemployment claims system – and she believed the problem was far bigger than Gov. JB Pritzker’s administration has publicly acknowledged.
On Sunday, the business owner told WBEZ she was struggling financially since the coronavirus pandemic began and applied for unemployment benefits using the state’s week-old system for processing benefits claims from jobless independent contractors and gig workers.
That’s when she said she inadvertently discovered that the website for the Pandemic Unemployment Assistance, or PUA, system was displaying Social Security numbers and other personal information for “thousands and thousands” of applicants for unemployment benefits.
She viewed what she said were dozens of pages online with the personal data on applicants, immediately took photographs of some of those screens as proof of the problem – and then shared her findings with her state representative’s office and a member of Pritzker’s cabinet.
“I consider [myself] someone who stepped up to the plate and said, ‘Hey, this crap has got to stop, and somebody doesn’t have their crap together,’” the business owner said in a phone interview Sunday. “It was 50 pages-plus. So we’re talking thousands of people. This is insane.”
The woman granted an exclusive interview to WBEZ on the condition that she, her business and her hometown not be identified in this story. She said she was afraid that being identified in media coverage of the problem could hurt her application for unemployment benefits or make her a target of people angered by the disclosure of their personal information.
WBEZ first reported the problem on Saturday, when the governor’s office acknowledged that a “glitch” with the new, federally funded PUA computer system had mistakenly “made some private information publicly available” for a short period of time.
In the statement from Pritzker’s office, his spokeswoman did not say how many people had been affected, what kind of information was disclosed or what had caused the problem in the first place.
The spokeswoman, Jordan Abuddayeh, said Sunday officials planned to provide more details about the problem soon.
WBEZ has reviewed screenshots the business owner from Downstate had taken and provided to her representative in the state House and to Thomas Chan, the acting director of the Illinois Department of Employment Security.
The woman said she is “not a computer wizard” or a hacker and was looking only for information about her own case when she came across the personal information of other applicants, including phone numbers, addresses and references to the number of dependents that benefits seekers have.
“I started freaking out and I’m like, ‘This is not right,’” she said. “I started shaking and taking screenshots because I was like, ‘No one is going to believe me that this is here.’ And I thought, ‘Who am I going to send this to?’ Because you can’t get a hold of anybody in unemployment. You can’t talk to a live person. I couldn’t, being just a regular person.”
Like many others across the state, the business owner from southern Illinois said she has experienced great difficulty using the IDES computer system or the agency’s toll-free hotline for unemployment benefits.
The system has been overwhelmed with a record number of applications in the two months since the coronavirus pandemic prompted Pritzker to close all businesses except those deemed essential.
The business owner said her banker put her in touch with state Rep. Terry Bryant, R-Murphysboro, and Bryant says she contacted the governor’s office on Friday.
“She’s not a hacker,” Bryant said. “This is a nice lady. This is a person who easily got to that [personal information].”
On the same day she contacted Bryant, the business owner said she got a call from Chan, the IDES chief, asking for information about the data-security issues she found. She provided WBEZ with copies of the emails she sent to Chan.
“He called me and he wanted me to email him some of my screenshots,” the business owner said. “I told him how I got in and how easy it was - two clicks.”
The governor’s spokeswoman, Abuddayeh, said the state would contact people who were affected by the data-security problem.
State Sen. Dan McConchie, R-Hawthorn Woods, sponsored legislation last year that would have forced the state to cover the cost of providing identity-theft protection for a year in cases where Illinois officials disclose personal data. The measure was not approved in Springfield.
McConchie said Sunday he introduced the proposal after state officials posted the Social Security numbers of boat owners twice.
The business owner who discovered the IDES’ data-security problem said the state should cover the cost of providing protection from fraud for all of the unemployment applicants whose personal information was exposed last week.
“I am devastated,” she said. “Whoever was responsible for the PUA program should take responsibility. They obviously did not know what they were doing.”
Washington created the PUA program and provided funding for it in March, and the state website for applicants under the new program launched on Monday.
The computer system was created by a private company under a no-bid contract with IDES. The deal is worth nearly $9.5 million and was signed on April 24, according to documents obtained by WBEZ.
The contract included an attachment relating to the “protection of Social Security numbers.”
Dan Mihalopoulos is a reporter on WBEZ’s Government & Politics Team.
Gloss