By Rachel Mipro, Kansas Reflector
TOPEKA, Kan. (Kansas Reflector) — Kansas’ IT system for unemployment claims could have been hacked by any fifth-grader, the chairman of an oversight committee said during a tense meeting Wednesday on security breaches.
“Most of it was grade-school type stuff that we should’ve been aware of in the first place,” said Rep. Sean Tarwater, a Stillwell Republican and chairman for the Unemployment Compensation Modernization and Improvement Council.
The meeting, which lasted almost five hours, came after a cybersecurity investigation by accounting firm FORVIS into the Department of Labor’s IT system. The system has been criticized for inefficiency, especially during the COVID-19 pandemic, when unemployment claims overloaded the system and lack of oversight contributed to identity theft fraud estimated between $300 million to $600 million.
The investigation report, commissioned by the oversight council, now puts that amount between $441 million to $460 million in potentially fraudulent claims, said FORVIS employee Tom Haldiman. More than 90% of potentially fraudulent claims were filed via the internet.
Legislators clashed with Labor secretary Amber Shultz about how much information should be revealed to the public about the data breaches that led to record-high identity theft and unemployment insurance fraud during Wednesday’s council meeting.
Tarwater said he wanted as much transparency as possible about the breaches, dismissing claims that revealing the IT program’s former weak points would encourage future system hacks.
“I don’t really think that there was anything in any of these reports that would put Kansas at risk,” he said.
Shultz supported keeping information related to the hacks private.
“Personally, I thought it was appropriate to redact that information because we don’t want to let any security information out to the general public,” Shultz said in an interview after the meeting.
The Kansas Reflector obtained a copy of the redacted report, which isn’t available to the public. While some of the information has been blacked out, all of the original text of the report is accessible by simply copying and pasting from the document — a security risk in itself.
The redacted report showed three critical security problems, which need to be immediately addressed; and two high-risk areas, which need to be priorities.
Recommendations for security improvements included concerns that hackers could access site traffic and then impersonate the system, as well as recommending what kind of domains the systems use. The report also urged system administrators to use stronger passwords.
One recommendation noted that some systems had openings that could allow attackers to gain access to the system without requiring a password.
As part of the investigation into cybersecurity threats, FORVIS connected a testing device to the department’s internal network to simulate a cyber attack. During the simulation, five passwords were cracked and 10 security authentication protocols were intercepted, though no sensitive information was accessed, the report said.
Legislators blamed the outdated system and lack of adequate security measures for the colossal losses. Council member Jake Miller, an attorney appointed to the council by Gov. Laura Kelly in 2021, said the system should have been upgraded years ago.
“I’m 31 years old, and the system is literally older than me,” Miller said. “But we’re blaming all of these things, what could we have done in the last 18 months, and I get it, there could have been reaction times better, different things. It was an ongoing issue. But my point is, what would have been different in this situation had the system been revamped seven years ago, eight years ago?”
There have been several different plans to overhaul the IT system over the years. It was set to be rebooted in 2011, but former Gov. Sam Brownback’s administration halted efforts. Gov. Laura Kelly planned to modernize the mainframe system, which dates from the 1970s, before the pandemic, but system overhauls didn’t begin until May of this year.
Legislators questioned Shultz, who has a background in IT, about her handling of the system. She was put in charge in 2021, following turmoil within the department. They expressed concern that Shultz was not doing enough to improve security, citing high departmental turnover rates and ongoing fraudulent insurance claims.
She denied any data breaches within the department.
“Our systems were not compromised,” Shultz said. “We’ve been very clear on that throughout the meeting with the council.”
Tarwater pushed back on the statement, saying that the department originally had a website page open to the public where Social Security numbers could be typed in, and once entered, would generate all other taxpayer information.
“I think that we were compromised a lot more than we thought,” Tarwater said. “But the fact that we had an open webpage to the public, that you could randomly type in Social Security numbers, my guess is a lot of those bots that were hitting us that we stopped eventually were firing Social Security numbers at that page.”
Rep. Susan Estes, R-Wichita, who asked Shultz multiple times about her security improvements during the meeting, said she was worried that Kansans who had their identities stolen were not being treated fairly by the department.
Some have reported having to pay the Department of Labor after having their identities stolen.
In one testimonial handed out during the meeting, a public accountant said his client, a woman in her late 70s, was placed in a state debt payoff program after her identity was stolen for fraudulent unemployment benefits.
Despite her attempts to notify the Department of Labor about the fraud, the department ignored her communications and held her responsible for the fraudulent payout, with the Department of Revenue withholding her 2020 and 2021 income tax refunds, the testimonial said.
“I am deeply concerned that that information is not out,” Estes said about the report. “I feel Kansans have a right to know, especially if your life was destroyed by the way the Department of Labor treated you.”