The hack of an unemployment insurance technology company that disrupted more than a dozen state agencies’ systems caught the attention of the US Department of Labor and its independent watchdog.
And although the system outages were short-lived, the incident reiterates the importance of best practices within the unemployment system, such as states performing independent cybersecurity audits and having backup systems to keep paying benefits if their main systems go offline.
At least 18 states that contract with Florida-based Geographic Solutions Inc. had their job search or part of their unemployment insurance systems offline for a period of time within the last three weeks after the company detected “anomalous activity” and shut down its network.
The DOL’s Employment and Training Administration, which oversees the federal-state unemployment system, has since “notified the department’s Office of Inspector General of the cybersecurity event experienced by some UI state agencies,” DOL spokesperson Monica Vereen said in a statement.
The Labor Department’s referral of the event to its IG comes as the DOL and state agencies are working to modernize the jobless safety net after at least $163 billion in unemployment funds were defrauded from state systems during the pandemic, and delays caused months-long waits for applicants to receive benefits.
It also underscores the challenges policymakers have faced shoring up state workforce systems. While the federal government sets the general structure of how programs should work and pays for states to administer unemployment benefits, each state makes its own rules and operates its own system.
“It does point out some important issues,” said Andrew Stettner, a senior fellow at the Century Foundation, a think tank. “If a state system goes down they can’t turn to another state, they can’t turn to the federal government, there’s no other way to get people benefits.”
The DOL was first notified of the disruption on June 28, saying, “No state has reported to ETA that personally identifiable information has been compromised.”
Systems in Louisiana, Nebraska, and Tennessee—which rely on GSI for claims processing—went offline as a result of the breach, affecting at least 23,000 people seeking to recertify their benefits for another week.
According to both the DOL and GSI, those three state systems are now back online.
“The department’s Employment and Training Administration regional offices worked with the affected states to monitor the impacts of this issue in these three states,” DOL’s Vereen said. “We will work with the states to ensure that appropriate action is taken so that the states are prepared if similar events should happen in the future.”
Bloomberg Law surveyed state workforce agencies and found 15 other states that also experienced disruptions to some of their offerings, such as job search functions. Those are used by unemployment benefit claimants in some states to certify that they are actively seeking work—a requirement to keep receiving benefits.
In one instance, when California’s virtual jobs center “CalJOBS” went offline because of the GSI outage, the state temporarily waived requirements for unemployment insurance recipients to register on the website and upload their resume, according to a statement from the agency.
The DOL encourages states to have backup systems in place that let them continue processing claims if a disaster knocks out their main system, said Joe Vitale, a consultant for On Point Technology who previously led information technology at New Jersey’s unemployment agency and later at the National Association of State Workforce Agencies.
But having a comprehensive backup option—ideally with a separate technology vendor, using different cloud servers and a separate IP address—can be too costly for many state agencies, as unemployment administration isn’t often treated as a high priority in state budgets.
“As you add all these features to avoid going down it gets more expensive,” Vitale said.
The DOL has issued cybersecurity guidance and grants to state agencies stretching back to 2004. In a program letter from late 2020 (UIPL No. 04-21), the agency made a range of recommendations including that states hire independent consultants to conduct security audits.
“I think it is a weakness in the program that we have, we don’t have that backup capacity,” said Stettner of the Century Foundation, adding that the federal government could consider building a system to collect backup claims data so that states could continue paying out benefits even while their system is down.
Some policymakers have advocated for the government to develop centralized unemployment technology that states can choose to adopt so that applicants have a more uniform and easier experience.
The DOL last year launched a “Claimant Experience Pilot” in New Jersey and Arkansas aimed at designing a model application system that other states could recreate.
But that approach could have some security pitfalls.
When a system is compromised, as in the case of GSI, every state using the system must shut down its system, leading to outages across multiple states. Similarities across state systems could also provide scammers with a map of how to target their next victim, although the DOL has encouraged states to share information with and use tools provided by the National Association of State Workforce Agencies so that other states can learn how to protect themselves.
Roughly 10 technology providers support the UI systems for most states, with products spanning claims processing, employer taxes, and job-search functions, said Doug Holmes, a former state unemployment director in Ohio and now president of business lobbying group UWC – Strategic Services on Unemployment & Workers’ Compensation.
“Today there is very much reliance on the third-party vendors to design the system and to be key in implementation and then follow up if there are issues,” he said. This use of third-party vendors allows state agencies to tap into technical expertise that they often can’t afford to maintain in-house with limited state funding, he added.
Coincidentally, GSI founder Paul Toomey was speaking on a panel discussion about UI program integrity at a national unemployment insurance conference when GSI’s system was hacked, Holmes said.
Conference attendees were told the incident at GSI was a ransomware attack and that the FBI had become involved, Vitale said.
GSI didn’t immediately respond to follow-up questions about the nature of the incident.
In its initial statement, GSI said it’s conducting a “full investigation” with third-party specialists on the breach.
“To date, we have no evidence that any sensitive customer or end-user information was affected. Should that change as our investigation progresses, we will move quickly to notify the affected parties,” the statement said.