Hackers attacked 30,000 unemployment people and leak their personal data

A programmer who applied for social assistance in the Arkansas Pandemic Unemployment Program discovered a security flaw in the registration system that exposed Social Security numbers, bank account numbers, and other confidential details of at least 30,000 applicants for the benefit. Cyber security course experts fear that threat actors have accessed this information for malicious purposes.

After discovering the vulnerability, the programmer called the Arkansas Workforce Services Division, although they only replied that there was no one who could attend to his report at the time. He then tried someone from the Criminal Investigation Division of the Arkansas State Police, who told the programmer that he would find the person he needed to talk for solving the issue. The programmer then called the Arkansas Times for advice on who to call. The Times alerted the Labor Services Division about the problem at 4:30 p.m. Shortly thereafter a message appeared on the website saying, “The site is currently in maintenance.”

“The security and privacy of our applicants’ data is a very serious matter for us,” said Zo-Calkins, director of communications for the Workforce Services Division, in a message via email. “We disconnected our computer systems as soon as we hear about this incident, limiting network access from abroad. We are committed to completing a full forensic review and will take all appropriate action in response to our findings.”

Regarding the affected social program, cyber security course experts mention that this is a new federal aid program for self-employed workers whose income has been affected by the coronavirus outbreak. The portal was launched on May 5, a few weeks after the official launch of the program.

When browsing the website, the programmer found that, by simply removing part of the site URL, he was able to access the site’s admin portal, where he even could edit applicant’s personal information, including bank account data. From the management portal, he saw the source code for the page and saw that the site was using an API to connect to a database. That API was left unencrypted, so the programmer could access all applicants’ data, as mentioned by cybersecurity course experts. The programmer shared the vulnerability with a colleague, who managed to exploit it for easy access to the compromised database, mentions the International Institute of Cyber Security (IICS).  

The programmer said that any moderately skilled hacker could develop a script to collect the information exposed in less than an hour, although no evidence of access to this database has been reported.