Gov. Phil Scott announced Thursday that a data breach at a state contractor affects far more Vermonters than initially thought.
The breach happened at a private firm called America’s Job Link Alliance, which contracts with Vermont and nine other states to provide a database for job seekers and employers. Under state law, anyone who applies for unemployment benefits — unless they have a firm return-to-work date within 10 weeks — is required to register with JobLink and regularly use the site to search for work.
Scott said the personal data — name, address, birthdate and Social Security number — of all applicants may have been compromised, going all the way back to the year 2003, when the state began contracting with AJLA. That’s a total of 180,000 applicants in Vermont.
“We initially thought that the breach was on a smaller scale,” Secretary of Labor Lindsay Kurrle said at a Thursday afternoon Statehouse press conference with Scott.
Kurrle said the state had previously believed that accounts that had not been used within the past year had been deleted.
“Part of what we learned throughout, well, yesterday, was that AJLA had not purged those accounts. That does not mean 180,000 people, because somebody could be in there 10 times,” she said. “They might create a new record every time.” She said it’s not known exactly how many individual Vermonters were actually affected.
It could have been worse. JobLink is a “standalone” system for Vermont. The other nine states allowed JobLink to interact with state systems, so their breaches are potentially much larger.
According to Scott, the failure to purge old records may expose AJLA to a lawsuit seeking damages and restitution for those who suffer the theft of personal data, including free credit checks.
The good news? So far, there have been no reports of actual theft or fraud resulting from the breach. “There’s just the potential that is there,” said Scott. He urged anyone who believes they were victimized by the breach to contact state officials immediately.
Kurrle said that AJLA first noticed “suspicious activity on or around March 12.” The firm immediately launched an investigation and called the FBI. “It has not been very long in terms of cyber-breaches,” added Kurrle, meaning that actual theft of personal data may still happen in the future.
The Labor Department’s website features a “Frequently Asked Questions” document provided by AJLA. There will also be a toll-free number with actual human staffers starting Friday.
Scott says no decisions have been made on lawsuits or any other action. “We’ll look at the provisions of the contract and see what recourse we have,” he said. “But we want to make sure we’re taking care of business first.”
Scott was asked if the state has an obligation to hold Vermonters harmless if AJLA fails to do so, since applicants were required to use JobLink.
“I do believe that we have an obligation, because this wasn’t something they sought to utilize on their own,” the governor replied. “So I do think we have some obligation to do something. We’ll be investigating that. I am confident we will have some recourse with the company.”
He also took the opportunity to plug his administration’s digital initiatives, including creation of an Agency of Digital Services. “The fact is, digital threats can come from anywhere,” he said. “The State of Vermont has significant work to do to improve our cybersecurity efforts.”
Got something to say?
Send a letter to the editor and we'll publish your feedback in print!
Rich Nadworny recently had a thoughtful commentary on VPR about how our technology is not serving us well.
Whether it is Vermont Health Connect or the complete lack of cyber-security, it is arguable there have been more cons than pro from forcing everything on-line. Every few months there is a new major hack of everyone’s data, including social security numbers and critical identifying information allowing for identity theft, the most recent being this news about Vermont Department of Labor/Job Link Alliance. This follows on major hacks of Federal Office of Personnel Management (exposing over 21.5 million people); the Anthem HealthCare data breach (78+ million people), etc.
There have obviously been many conveniences from the incredible expansion of the internet over the last 20 years. But as for record keepers of personal identifying data such as government bureaucracies and health care or financial companies, at what point do we as a society demand these organizations must go off-line and return to paper record-keeping and paper files simply for personal safety and protection of privacy? Maybe all of these companies and government agencies must be held personally liable for every single identity theft, including not just money stolen but time and hassle of being forced to recover identity? The banks seems to do a better job, why are health care companies and the government not able to follow suit?
Rich Normandy is personally invested in contracting with the state and his commentaries are aimed at boosting his ability to win RFPs. Time to hear from a less partial source.