The State of Colorado has issued a statement indicating that their Pandemic Unemployment System was compromised over the weekend. The agency that handles Colorado Unemployment Assistance Insurance has offered affected individuals a year of free credit monitoring.
In the official State of Colorado email, the state indicated that they were “notified by our vendor” of the issue; although they did not name the vendor, it is likely that it is Deloitte. We base this educated guess on it being Deloitte based on a number of factors, including [destination content has been removed at other end :~( ], which includes the statement “Joined by David McCurdy, chief technology officer (CTO) at the State of Colorado, Deloitte presented how the state migrated their integrated eligibility system, Colorado Benefits Management System (CBMS), to AWS”; and [destination content has been removed at other end :~( ] signed in June of 2017.
UPDATE: It has now been confirmed that the vendor was indeed Deloitte. In a statement quoted in the Colorado Sun, Cher Haavind of the Colorado Departyment of Labor explains that it was a technical error in which Deloitte accidentally gave some users ‘privileged functions’ (such as, for example, superuser privileges – our example, not one provided by Colorado or Deloitte), which allowed those users access to a search function to which they should not have had access, and allowing them to search through data belonging to other users. They had that access for nearly 2 weeks (from May 2nd through May 15th).
Explains Haavind, “The vendor discovered that a searchable screen was visible and that fewer than six people had temporary access.”
The bottom line in terms of this incident is that for nearly two weeks, some users of the Colorado Pandemic Unemployment System were able to view the personal data belonging to other users of the system.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
And so, of course, the issue isn’t so much how many people could see the data of others, but rather how many people’s data did those six people have access to, and how many records with the personal data of other users did they actually access? For that, the state (so far) ain’t saying.
Here’s what they are saying.
Email from Colorado Pandemic Unemployment Assistance Program Regarding Compromised User Accounts
Pandemic Unemployment Assistance
On Saturday, May 16th, we were notified by our vendor of a limited and intermittent data access issue where a handful of individuals within the new Pandemic Unemployment Assistance application were inadvertently able to view other claimants’ correspondence. The unauthorized access was identified and blocked within one hour. Although there is no evidence of any widespread data compromise, out of an abundance of caution we are offering you the option of enrolling in 12 months of free credit monitoring.
If you would like to enroll, please complete your request at the link below within 45 days (July 2, 2020). Once you submit your request, you will be emailed further instructions within 5 business days. Please know that we hold the confidentiality of your data in the highest regard and our vendor took immediate steps to prevent any unauthorized access in the future
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
