“Appalling” was how Vermont’s governor described the incident.
In the U.S., millions of job seekers from at least 10 states might have had personal data stolen by hackers, according to a press release from America’s JobLink Alliance. From February 23 to March 14 of this year, a hacker gained unauthorized access to names, birthdays, and social security numbers of individuals in AJLA’s database.
So far, the states that seem to be affected by this breach include Vermont, Arkansas, Illinois, Alabama, Delaware, Idaho, Arizona, Maine, Kansas, and Oklahoma. Exact numbers of affected job seekers is yet unknown, but 180,000 or more Vermont Labor Department accounts alone, for example, could be affected.
“As a society, we’ve reached the point where every organization entrusted with PII should be constantly testing and hardening its external and internal defenses, and embracing more proactive, effective levels of defense such as consumer behavior analytics solutions, which can constantly validate legitimate users — even when the stolen but accurate credentials are presented,” said Lisa Baergen, director of marketing at NuData Security. “That would be the best way to help prevent the sorts of deceitful transactions and identify theft that otherwise may lie ahead for these unfortunate JobLink victims.”
The U.S. Department of Labor provides the AJLA service, which is operated by the independent party. Based in Kansas, the AJLA coordinatetecs federal workforce development and unemployment programs in various states across the U.S.
The AJLA claims that, on February 20, 2017, a hacker used a newly-created job seeker account in AJLA’s system to illegally access the details of various job seekers. The hacker exploited a flaw in the application code’s configuration, which the company has since resolved.
“It is entirely unacceptable that organizations such as this are allowed to violate the public’s trust by not properly securing critical identity information,” said John Gunn, CMO at VASCO Data Security. “This is adding injury to misfortune — not only are these people out of work, now they have to worry about identify theft for the rest of their lives. The final insult is the referral to credit monitoring services where the victims can pay for ID theft protection.”
On March 12, AJLA’s technical support team began noticing system error messages, suggesting strange activity, and law enforcement was notified right afterward. To determine what instigated the activity and what effect it had, AJLA’s tech support team retained a third-party forensic firm to resolve the issue.
A call center was created by AJLA so people affected could get answers about the incident. From 8 a.m. to 8 p.m. CST, Monday thru Friday, users may call 1-844-469-3939 toll-free or email AJLAincidentresponse@AJLA.net for customer service.
While the data breach is a serious incident that will take time to completely recuperate, AJLA was praised by some for its response to the incident and the subsequent actions taken. Their website features an informative and regularly updated FAQ section. Another option for users is to call their own state service or visit their state government’s job seeker website.
AJLA is also offering free credit monitoring services to many that were affected. Those being helped will receive an activation code in an email from AJLA in order to access the solution. The email should come in the following week and will include detailed instructions about how to access the services.