TOPEKA — Kansas’ IT system for unemployment claims could have been hacked by any fifth-grader, the chairman of an oversight committee said during a tense meeting Wednesday on security breaches.
“Most of it was grade-school type stuff that we should’ve been aware of in the first place,” said Rep. Sean Tarwater, a Stillwell Republican and chairman for the Unemployment Compensation Modernization and Improvement Council.
The meeting, which lasted almost five hours, came after a cybersecurity investigation by accounting firm FORVIS into the Department of Labor’s IT system. The system has been criticized for inefficiency, especially during the COVID-19 pandemic, when unemployment claims overloaded the system and lack of oversight contributed to identity theft fraud estimated between $300 million to $600 million.
The investigation report, commissioned by the oversight council, now puts that amount between $441 million to $460 million in potentially fraudulent claims, said FORVIS employee Tom Haldiman. More than 90% of potentially fraudulent claims were filed via the internet.
Legislators clashed with Labor secretary Amber Shultz about how much information should be revealed to the public about the data breaches that led to record-high identity theft and unemployment insurance fraud during Wednesday’s council meeting.
Tarwater said he wanted as much transparency as possible about the breaches, dismissing claims that revealing the IT program’s former weak points would encourage future system hacks.
“I don’t really think that there was anything in any of these reports that would put Kansas at risk,” he said.
Shultz supported keeping information related to the hacks private.
“Personally, I thought it was appropriate to redact that information because we don’t want to let any security information out to the general public,” Shultz said in an interview after the meeting.
The Kansas Reflector obtained a copy of the redacted report, which isn’t available to the public. While some of the information has been blacked out, all of the original text of the report is accessible by simply copying and pasting from the document — a security risk in itself.
The redacted report showed three critical security problems, which need to be immediately addressed; and two high-risk areas, which need to be priorities.
Recommendations for security improvements included concerns that hackers could access site traffic and then impersonate the system, as well as recommending what kind of domains the systems use. The report also urged system administrators to use stronger passwords.
One recommendation noted that some systems had openings that could allow attackers to gain access to the system without requiring a password.
