ADWS REFUSES TO DIRECTLY NOTIFY CLIENTS ABOUT BREACH

Instead of directly notifying individuals that had their personally identifiable information obtained by yet unknown hackers, the Department of Workforce Services sent a notice to the Arkansas Democrat- Gazette. 

We previously posted about the data breach in this post in March.

This is unbelievable in that not very many individuals actually read the paper and not all of the individuals that are involved reside in Arkansas anymore and would be likely to read an article buried in printed media.

While Arkansas law gives that as one of the two options available to ADWS, they chose the method that will reach the fewest number of individuals.

Even their placing a notice and link on their webpage is window dressing as not many people access that page.  Especially those that used the Joblink service years ago. http://dws.arkansas.gov/JobSeekers/PDF/NOTICE%20final%20Dem-Gaz.pdf
 

The vendor that operates the service under a contract with ADWS did sent out notices, but ADWS had a responsibility to contact each individual by sending a letter as the email address used by the individual may no longer be active or in use.

Shame on ADWS for failing to do the right thing and protect Arkansas citizens when their data security measures failed and they didn't purge their system of personally identifiable information after a fixed period of time.

 

DWS DISCOVERS VIRUS IN SYSTEM AND FAILS TO FOLLOW LAW TO PROVIDE REQUIRED NOTIFICATIONS

ADWS SPOKESMAN STEVE GUNTHARP RULES OUT HACKING AND PLACES BLAME ON AN ADWS CLIENT FOR PUTTING VIRUS IN ARKANSAS JOBLINK SYSTEM

  

The Arkansas Democrat-Gazette published a story last week that revealed that the Arkansas Department of Workforce Services discovered a virus in a database contains personally identifiable information of an estimated 19,000 Arkansas citizens that were seeking employment.

ADWS spokesmans Steve Guntharp stated that it was not immediately clear if the virus had extracted personal information before it was detected.

Gunthrap blamed a user for placing the virus in the Arkansas JobLink system. 

"The only thing we know is somebody entered their information in and somehow got that [virus] into the system," Guntharp said. "We are working right now on trying to determine what the extent of the breach was."

The breach was discovered by a contractor that maintains the database for ADWS.

Ark. Code. Ann. § 4-110-105 requires ADWS to notify any resident of Arkansas whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized individual by a breach of their system.

Guntharp stated that the information dates back to 2001, but not to worry because accounts are deactivated after 90 days. 

But the information remains in that system indefinitely Guntharp reluctantly admitted.

A reasonable person would question why the heck ADWS would maintain personally identifiable information about individuals, individuals that cannot access or remove the information after 90 days, on such unsecured servers.

The personally identifiable information that could have or was obtained by hackers and criminals can be used in a variety ways.

In fact the same day that the  Arkansas Democrat-Gazette ran a story about the ADWS breach, they also ran a story about lady in Arkansas that admitted to 

defrauding the government out of $262,691 in SNAP benefits from multiple states,  by using other individuals Social Security numbers, etc. (like the information in the Arkansas Joblink database that was breached) to make on-line applications for benefits.

Such information could also be used to open accounts, obtain credit cards, and many other things.

If you used the Arkansas Joblink system anytime since 2001, call Guntharp at 501-837-8700, and ask him why his agency kept your information and if they are going to provide credit monitoring services.