AP reports: A country program that was created to process unemployment applications in Arkansas for self-employed individuals or gig saving workers appears to get been illegally accessed and has been shut down, officials announced Saturday. Gov. Asa Hutchinson said he learned friday evening that an applicant for the program is believed to get somehow accessed the system, prompting an investigation of a possible data breach. Read more on KATV. But the transgress appears to be more of a leak/vulnerability that exposed the data of 30,000 applicants. Were the data scraped or dumped any where, though, or were these people just at risk and some expert noticed it and alerted them? There’s a lot that’s confusing in much of the reporting including Fox13’s headline blaring that “Hackers leak over 20,000 unemployment applicants bank information.” What hackers? Where? Lindsey Millar’s reporting on ar times provides helpful details as to the vulnerability that was discovered: In exploring the website, the computer programmer determined that by simply removing part of the site�s URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page�s source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants� raw data, included social Security numbers and banking information. In about ii minutes, the computer programmer described the vulnerability to another programmer the�Arkansas Times�engaged, who then used the information to easily enter the system. To access the sensitive information, the second programmer only needed to create an account, not actually apply for assistance.
