Many people are still seeking jobs following the mass layoffs spurred by the COVID-19 pandemic, and thus still filing for unemployment benefits as a result. Unfortunately, cybercriminals have also targeted these same systems for attack. AP News found that several states are dealing with a disruption of unemployment benefits caused by cyberattacks, leading to missed payments for those still out of work.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
States’ unemployment benefits affected by cyberattacks
A number of states including Louisiana, Nebraska and Tennessee were affected by cyberattacks that occurred in the last two weeks, with each of the sites’ corresponding unemployment benefits having been taken offline. The company that handles unemployment benefits for 40 states and Washington, D.C., Geographic Solutions Inc., was reportedly affected by attacks that began June 26, according to a number of sources. As a result of the attack, several of the states’ unemployment websites were taken offline in order to mitigate further potential damage.
For residents of Tennessee, payments to at least 12,000 individuals are to be suspended, and in Louisiana payments will come two days later than normal as part of the attack.
In a statement released by Geographic Solutions on June 29, the company said they believed no personal data was accessed as part of the attacks and no data was removed from its network operations center. As of July 6, the website for Geographic Solutions was down for maintenance, with no updates on when unemployment benefits would be fully operational again.
Tim Marley, vice president of Audit, Risk & Compliance and field CISO at Cerberus Sentinel says that this type of risk becomes a factor when relying on third-party vendors to handle sensitive data and the management of unemployment benefits.
“We’ve witnessed a significant shift over the last decade from ‘on premise’ systems to ‘cloud hosted’ solutions,” Marley said. “We’re trading the responsibility to directly control and manage these systems and trusting our vendors to do this for us. This shifting landscape has placed much greater emphasis on the need to validate that our third-party vendors are managing our systems and data responsibly and securely.”
In addition, Marley says that the assessment of vendor performance as seen with a company like Geographic Solutions needs to be more thorough when considering the types of personal and sensitive data being collected and handled by a third party vendor.
“A mature Third-Party Risk Management program requires that we assess those vendors that could directly impact the confidentiality, integrity or availability of our systems and data,” he said. “These assessments should be conducted prior to engaging with a new vendor and no less than annually for existing vendors. Over the last few years, we’ve observed significant growth and demand in the third-party audit and/or certification market. Service providers are voluntarily securing third-party attestation to appease their client base and maintain a mature security program.”
At this time, it was not made public which type of malware the Geographic Solutions systems were subjected to, or when all of the unemployment sites would be up and running again.