Illinois blames ‘glitch’ for exposure of PUA applicant Social Security numbers, private data

Sensitive unemployment benefit claimant information was made public on an online portal.
Written by Charlie Osborne, Contributing Writer

The Illinois Department of Employment Security (IDES) has acknowledged a security lapse that exposed the private information of independent contractors and the self-employed. 

IDES blamed the security incident on a "glitch" in a new system rolled out to process the claims of citizens in the state of Illinois who need to file for unemployment benefits.

See also: Mikroceen RAT backdoors Asian government networks in new attack wave

Names, Social Security numbers, and other data points -- including phone numbers and addresses -- related to unemployment claims were leaked through the scheme's website, which has been set up to give gig workers access to funds if they have lost their jobs due to the COVID-19 pandemic. 

As reported by WBEZ, the new system -- known as Pandemic Unemployment Assistance (PUA) -- launched last week to cater to those who would otherwise not necessarily be covered by unemployment benefits in the state. Over 44,000 applicants opened a claim within the first 24 hours. 

IDES' data leak was uncovered by a business owner who applied for benefits and realized she was able to view information belonging to others. According to the publication, "thousands and thousands" of records were available. 

CNET: That old Android phone might not be safe to use: 6 things to consider

A spokesperson for Governor JB Pritzker's office acknowledged the problem, saying on Sunday that the IDES was "aware there was a glitch in the new PUA system that made some private information publicly available for a short time and worked to immediately remedy the situation."

The security hole was plugged within an hour. However, it is not known how many applicants may have been impacted. 

TechRepublic: Average US citizen had personal information stolen at least 4 times in 2019

The agency has also not revealed what caused the data leak in the first place but says that an investigation has been launched into the matter. Deloitte is working with IDES in a cyberforensics capacity and to improve the portal's security. 

In Arkansas, access to the system was temporarily closed down due to the reported leak, with teams working over the weekend to try and process claims and push benefits "out the door."  

Cybersecurity reads for every hacker's bookshelf

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards