Pandemic Unemployment Assistance website was faulty, but no evidence it was hacked

The hastily built site for Arkansans applying for pandemic benefits was vulnerable to data hacking for two weeks, but there’s no evidence anyone did.

Arkansas lawmakers heard Monday that the website built in May to sign up for pandemic unemployment benefits did have coding problems that could have made applicants’ private information visible, but there’s no evidence anyone exploited the vulnerability.

“It appears that unauthorized individuals may have been able to view the information of other PUA applicants that may have applied between May 1st and May 15th,” said Carder Hawkins, the Chief Inspection Officer for the Department of Workforce Services.

Hawkins appeared before the Joint Committee on Advanced Communications and Information Technology.

The Department was in a hurry to establish a way for thousands of workers who previously would not have been able to qualify for unemployment benefits to collect from the program established by Congress through the $2.2 trillion CARES Act in March. 

The website went live a month later.

Governor Asa Hutchinson announced in May that someone had breached the site’s security and it was offline to the public for several days for repairs. A third-party security company patched the hole and at-risk applicants were offered free credit monitoring and fraud protection.

“To date, we have no evidence or information that this information was misused in connection with this event,” Hawkins said.

The FBI confirmed they are still investigating the matter but offered no other details. Hawkins said he was limited in how much more he could share because of the investigation, but lawmakers still had questions.

“Was there nobody checking it to make sure the code didn’t have some problems in it? That it did allow for something like this?” said State Rep. Frances Cavenaugh (R – Walnut Springs), who told Hawkins she had computer programming experience.

Hawkins said quality control checks had been in place but blamed the oversight on the rush to get the website online.

Other lawmakers questioned whether the rash of fraudulent claims that are holding up thousands of benefit applications could be linked to the vulnerable site. The governor and three legislators at the hearing all said they or their family had been targeted by scammers using names to try and collect benefits.

“What we understand is that it is not linked and there’s no evidence or indication that those are linked,” Hawkins said. pointing to the timing of the fraudulent claims and the fact that none of the people targeted would have been in the PUA database.

Love was among those targeted and was satisfied with the inspector’s answers about the current scams, but still has questions about the website problems.

“I really would want to delve a little deeper to make sure this doesn’t happen again and that all Arkansans are protected,” he said, noting he expects the inspectors to return next month.

Hawkins announced that the department had almost 216,000 applicants to the program and almost $807 million have been paid entering this week.