Ten states subscribed to a job-matching and workforce development service called America's Job Link Alliance had user account data compromised.
Personal information and Social Security numbers tied to as many as 4.8 million accounts hosted on a multi-state job board system were compromised between Feb. 20 and March 14, America's Job Link Alliance (AJLA) revealed this week.
The hacker created an account and gained access to the names, dates of birth and Social Security numbers of users in all 10 states that use the Kansas-based system: Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont.
Access to the information was gained through a "vulnerability in the AJL application code" introduced October 2016 that has now been corrected, the organization said.
Several states' department of labor (DOL) websites have posted information about providing free credit screening and intentions to cooperate with an independent forensic firm and the FBI as the hacker is pursued.
Only Idaho, Delaware and Maine have yet reported numbers on affected accounts. Idaho reported 170,000 of 530,000 users affected. Delaware reported 200,201 of 253,420 users affected. And a contact at the Maine Department of Labor told StateScoop 283,000 of 350,000 accounts affected.
In what proved to be poor timing, Maine only joined the system in July to meet federal reporting requirements and not lose the funding it receives through the Workforce Innovation and Opportunity Act. In nearly 50 years of operation, AJLA reports this is its first hack or data breach. Maine's old system doesn't meet federal requirements and the state has no intention of leaving the AJLA system, the spokesperson said.
Delaware DOL Secretary Patrice Gilliam-Johnson said in a press release his department was "extremely troubled" by the "reprehensible" hack.
AJLA's description of the problem as both a "vulnerability" and a "misconfiguration" could cover a "range of sins," said Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.
It could have been debug code that was left behind or it might have been an issue of accidentally granting administrative permissions to regular users, he said, but exactly what happened isn't clear now. A configuration issue would mean that some aspect of the AJLA database was hosted on the public internet.
As for the issue of states farming out services that deal with sensitive data, Sager said that because these types of systems are complex, knowledge-rich and must be updated regularly, it makes sense to contract out the service.
"A lot of these things, you could build yourself, but why would you? If you've got a team of two kids in the back room building your system, you're probably going to get a different set of errors and probably more errors," he said.
Though AJLA says that accounts created after March 14 are not vulnerable, users dating back to 2007 may have had their data compromised.
AJLA was not immediately available for comment.