MONTPELIER, Vt. — Gov. Phil Scott said Vermont may seek legal recourse against America’s Joblink Alliance, a Kansas-based third-party contractor that announced a security breach affecting the Joblink databased used by the Vermont Department of Labor.
Scott, speaking during a news conference Thursday at the Statehouse, said that the data breach is far bigger than was first announced on Wednesday.
The incident has spread to 10 Joblink Alliance states: Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont. The governor said personal and Social Security data were involved in the cyber attack, though the extent of the breach is still under investigation.
“We are seeking recourse with this company. [The contract with AJLA] is on the table, and [severing] it is a possibility. We’re looking into the contract as we speak,” Scott said.
Scott said the contract with the state, in effect for about 16 years, was being examined by the Vermont attorney general, as well as the general counsel of the Department of Labor and the administration.
Vermont Department of Labor Secretary Lindsay Kurrle, standing with Scott at the briefing, said older Joblink accounts that should have been purged by AJLA were not deleted, and may have been compromised. The FBI is now involved in looking into the cyber attack, and Scott advised those who see suspicious use of their personal data should contact the attorney general’s office.
As many as 186,000 Joblink accounts may have been affected. Some of the accounts are duplicates, as many job seekers enter and reenter the system over the years as needed.
A statement this week from America’s Joblink Alliance said the breach occurred Feb. 17, after a hacker created a fake job-seeker account within its system. “The hacker … exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers. This misconfiguration has since been eliminated,” AJLA reported.
Kurrle said that Joblink is a standalone website and therefore does not compromise other state databases. She added that state workers don’t manage the data.
“AJLA is the owner of the database [and] the program software,” she said. “… State employees don’t eneter the data. What we do know is that name, date of birth, address and Social Security numbers are all in the database. The federal government requires us to have the Social Security field in there.”
Kurrle added that using Joblink’s job resources is a requirement for collecting unemployment compensation. She did not know what the contract costs of the AJLA services were to the state.
The breach follows an executive order Scott signed in January that outlines the formation of a new Agency of Digital Services. This week’s breach occurred as Montpelier has increasingly relied on private vendors — including Parsons Corporation for the new digital motor vehicle inspection program — to administer cyber services for state agencies.
Scott said the Agency of Digital Services aims to put information technology management under one roof for better oversight and security. Ironically, the Joblink hacking occurred just one month before the new agency’s secretary and chief information officer begin their new jobs.
“The state of Vermont has significant work to do to improve our cyber security efforts,” Scott said. “This is one objective of my executive order to creating an Agency of Digital Services. By unifying the state’s info tech portfolio and management under one roof, we can more strategically and uniformly address digital threats.”
Scott and Kurrle recommended that Vermonters monitor their personal credit reports with credit reporting agencies such as Equifax and TransUnion.
Lou Varricchio is Vermont bureau chief at Vermont Watchdog.org. You can contact him at [email protected]