Some fear damage already done before state tackled KDOL security issue

WICHITA, Kan. (KWCH) - A Wichita woman may have discovered how many Kansans became fraud victims, but when she tried to alert the Kansas Department of Labor (KDOL) to reveal how she accidentally hacked the system, exposing Kansas’ personal information, including social security numbers, she couldn’t get through. So, she called Eyewitness News. We’re sharing this story after the problem was fixed so that more people don’t become fraud victims.

About a week ago, Lisa Hirst first reached out to Eyewitness News and we contacted KDOL. The state said it’s fixed the issue that apparently made many vulnerable, but one Kansas lawmaker is among those worried that the damage has already been done.

Like many struggling to get their unemployment benefits, Lisa Hirst just wanted a callback from KDOL. But when she entered her social security number to get a ball back from the department, she accidentally entered it incorrectly. In doing so, she got someone else’s information.

“I was shocked that I didn’t even have to sign in to KDOL account to access this page,” Hirts said. “I Googled it to find it. I Googled, ‘Kansas PUA callback, (and) any number you type in that, if they have an account with KDOL, you’re going to bring up that person’s information, and right now, KDOL has hundreds of thousands of people intheir system.”

While she said she “can figure things out,” Hirst said her computer experience is limited, which made her all the more alarmed with how she accidentally accessed someone else’s information on a state agency’s website.

“I didn’t mean to hack into their system and it’s scary that I was able to because I don’t, I don’t know that much about computers,” Hirst said. “But you know, within a few minutes, I could have brought up, who knows how many names and their socials and their phone numbers and their email addresses.”

Hirst said she reached out to the news when she couldn’t get through to anyone with the state.

“I tried to call (KDOL). I couldn’t get through on the phone lines, and then I tried to call Governor Kelly’s office, couldn’t get through on the phone lines, and I just didn’t know what else to do,” she said. “I think somebody needed to tell them it was a problem and I wasn’t able to get through, so that’s when I reached out to the news.”

Rep. Stephen Owens, R-Hesston is among those concerned with the damage that was potentially done before KDOL recently upgraded its system with a security upgrade.

“Now that this information has been brought to light, it actually, it helps me understand what might actually be going on,” Owens said. “Originally when we were questioning the fraud department, they were referring back to the Experian and Equifax breach of data a few years back, and possibly that data was sold on the dark web that those social security numbers were being utilized to manipulate our system the so forth and so on. But if it’s as easy as (Hirst) has found it to be, then there wouldn’t even require any purchase on the dark web the information is just there and it’s just a click away. The state needs to be held accountable for the failure, we need to ensure that we are doing our part to protect people’s identities.”

Reports of mass fraud in the Kansas Department of Labor started in June. In addition to knowing one way in which scammers can find information, for the first time, we know just how much money the state could have lost to scammers before the security upgrade.

“Now we’re getting it could be as high as $700 million in insurance claim fraud that has been paid out over the last nine months,” Owens said.

To date, KDOL hasn’t publicly stated how much money the state has lost in fraud, but Owens hired a consulting team to find out.

“We were warned by the federal government back in March that fraud was going to be unbelievable as it relates to these unemployment benefits, yet we are the last state in the nation to take steps to address the security of our website,” Owens said.

With that, some fear the damage is already done.

“I don’t know that I’ll ever feel really safe again because you know somebody could have brought that information up and they could use it 10 years from now, and you’re just gonna have to be diligent and watch your credit report and make sure that there is anything on there that shouldn’t be, you know,” Hirst said. “I don’t think that any of us will ever be safe, because we don’t know who all got the information or when they’re going to use it.”

Eyewitness News reached out to KDOL to ask about the vulnerability in its website. A spokesperson with the agency said the I.T. team has investigated these claims and as far as they can tell, what Hirst experienced is an anomaly with the original PUA system build-out, and is not an issue for any claimant going forward after the investigation. But Hirst said she can’t be the only person to find this, because accessing someone else’s information, though by mistake, was too easy.

Rep. Owens said at this point, we should assume that nearly every Kansan’s identity possibly could be compromised. He said identity theft protection for every Kansas citizen would cost more than $70 million for just one month.

Copyright 2021 KWCH. All rights reserved.