State: Glitch caused data risk for up to 1.9M

Michael Gerstein
The Detroit News

Lansing — Private information stored in a state computer system for unemployment benefits recipients was potentially exposed to unauthorized viewers after a software update inadvertently caused a system glitch that could have affected nearly 1.9 million individuals, state officials said Friday.

The Social Security numbers and names of up to 1.87 million people could have been accessed, but the exact number is being investigated, according to the Michigan Department of Technology, Management and Budget.

Those whose personal information may have been compromised are active employees in Michigan whose payroll information is processed by 31 third-party payroll vendors whose company names the state would not disclose because of the ongoing State Police investigation.

Up to more than two-fifths of the state’s workforce might be affected by the glitch since the estimated December number of Michigan payroll jobs was 4.36 million, according to the state.

The information was exposed from Oct. 10 to Jan. 30 but does not include addresses, birth dates or phone numbers, according to the state. The breach was discovered Monday and a fix was applied the same day, state officials said.

Everyone whose data was compromised will be notified as soon as possible, a department official said.

“Data security is a top priority for the state of Michigan,” said David Behen, Department of Technology, Management and Budget director and Michigan’s chief information officer. “We will work with our third-party vendors and our state team to review our processes and procedures to avoid incidents like this in the future.”

State officials said the software update allowed “employers and other human resources professionals” to access the information but not people who applied for benefits “or the general public.”

Prior to the system fix, information that might have included first and last names, Social Security numbers and wage information could have been seen by undisclosed workers from any of the 31 companies with ties to the state computer system for a period spanning more than three months. Other personal information was not accessed, the state says.

The state says there isn’t any indication that the exposed information could be used “for malicious purposes” and says it doesn’t appear that the information “was accessed with malicious intent,” but was accidentally viewed by employers who were using the system.

The latest problem involves the same jobless benefits automated computer system that made more than 20,000 false unemployment benefit fraud claims against Michigan residents over nearly two years. The state recent settled a federal lawsuit on the matter.

Michigan House Minority Leader Sam Singh, D-East Lansing, called the glitch another example of Snyder administration mismanagement.

“Michigan’s Unemployment Insurance Agency continues to spiral out of control, from wrongly accusing residents of fraud to now potentially failing to protect the sensitive personal information of close to 1.9 million residents,” Singh said in a Friday statement.

“Gov. Rick Snyder has failed to contain the crisis in this agency and was finally forced to make drastic changes this week because of a court settlement. The people who failed our residents should be held accountable and relying on the services of the Unemployment Insurance Agency. Instead, they are in charge of running it.”

Wanda Stokes, director of the Talent Investment Agency that oversees the unemployment agency, said this week the state earlier had already made many of the changes included in the court settlement.

“Gov. Snyder appointed Wanda Stokes as the director of the Talent Investment Agency last summer to make improvements,” Snyder spokeswoman Anna Heaton said in an email. “Since then, many changes have been made to help residents with their claims and improve accountability at the agency, and that work is continuing.”

Colorado-based Fast Enterprises developed the Michigan Integrated Data Automated System responsible for the thousands of wrongful unemployment fraud determinations and installed the latest software patch that inadvertently created the exposure glitch.

Fast Enterprises spokesman James Harrison stressed that he is not aware that any data has been compromised – only that it could have potentially been seen by unauthorized viewers.

Harrison said he is not aware if the same software caused similar problems with other clients in other states. The company has clients all over the country.

“We obviously double check that immediately and we have not been able to identify yet in our own internal investigations any other scenario where the same thing could have happened,” he said.

“We’re very concerned, and we’re making it a huge priority in our company to do anything and everything that the state of Michigan asks of us,” Harrison said.

Kevin Grifka was wrongly accused of unemployment insurance fraud and slammed with a $12,000 bill from the state because of its automated fraud determination system.

Grifka said the latest news of more problems with the Unemployment Insurance Agency’s has him worried that after his previous ordeals, he might be facing more problems with the same system.

He said he has had his credit card information stolen four or five times in the past year, finding that someone had charged his card in other states. He doesn’t know if there’s a relationship between the latest potential data breach and his stolen credit card information.

“It’s disappointing,” Grifka said. “Definitely that’s something that I didn’t even think about. If their program has leaked information that’s not good at all. In my opinion, the state has not done their due diligence to help the people of the state.”

The state unemployment agency continues to review fraud determinations made by the automated system between October 2013 and August 2015. It reversed computer-based determinations in 20,965 of 22,427 cases during an initial review. Michigan has so far refunded claimants $5.4 million because of the system’s mistakes.

Department spokesman Caleb Buhs compared the “software update glitch” that was announced Friday with when “one of your apps crashes.”

“That’s similar to what happened here,” Buhs said. “The software update created this vulnerability that allowed others to access information” they weren’t authorized to see.