A Data Breach at Florida's Unemployment Website Impacts an Undisclosed Number of Users
People who have been left unemployed because of the coronavirus pandemic are in a pretty bad situation. At this point, nobody can say when they'll be able to get back to work, and some of them are already struggling to make ends meet. The very last thing they need is to worry about identity theft. Sadly, some Florida residents will need to think about that as well.
Yesterday, news outlets throughout the Sunshine State broke the news that Florida's Department of Economic Opportunity (DEO) has suffered "a data security incident." The leak apparently happened at the website handling people's reemployment assistance applications, and it involved full names and social security numbers. The DEO promised that affected individuals will be notified and will receive identity theft protection for free.
Imagine for a moment that you are a Florida resident who has been left without a job, and you learn about the DEO data breach from the news. You'd probably be in a hurry to get more information about the incident. This, unfortunately, is a lot harder than it should be.
The DEO is making a mess out of the data breach's disclosure
We've often said that transparent, detailed disclosure of everything that's happened is extremely important in the wake of a data breach, and sure enough, some of the organizations that inadvertently lose people's data do try to make everything clear. Press releases are published, and FAQ pages are often set up in an attempt to put people's minds at ease and let them know what they need to look out for. The DEO, however, decided not to bother with any of this.
The news broke after the media stumbled upon the letter the DEO sends to affected individuals. The department itself hasn't made a public announcement, and there's nothing on its website to suggest that people's information has been put at risk.
The letter appears to have been sent in early-May, the department says that it learned about the leak in April, but there's no information on when the actual breach took place. Less than an hour after it became aware of the leak, the department stopped it.
The DEO hasn't announced officially how many people could be affected by the breach, and it hasn't said who is responsible or how it happened. What we do gather from the letter is that the leaked information "was unintentionally sent to a private email server owned by a third party performing work on the agency's behalf."
This, coupled with the fact that according to some news outlets like WFTV, the number of affected people sits at less than 100 might just suggest that the breach isn't that bad. Whatever the case, the fact remains that the DEO is not handling the incident in the best possible way. Mind you, this is not the only thing the department is struggling with.
The breach isn't DEO's only problem
The breach happened at DEO's CONNECT platform, which appears to be quite problematic. Even before the COVID-19 pandemic, the website was criticized for the flawed functionality, and the influx of unemployment claims didn't do it any favors. Thousands of Floridians complain about delayed processing of the claims and problems when trying to reach out to the department and solve the problem.
Given the lack of official information, we can only guess how serious the DEO's data breach might turn out to be. What we do know for certain is that the department has a lot of issues to solve.