A massive security breach at the Vermont Department of Labor may have compromised the Social Security numbers of tens of thousands of Vermonters, and Gov. Phil Scott says the state is contemplating legal action against the private vendor responsible for the breach.
The breach affects a database maintained for the state of Vermont by a third-party vendor, called America’s Job Link Alliance. Scott says the state learned Wednesday that “the vendor now believes more than 180,000 accounts on Joblink were compromised.”
The breach could affect anyone who’s applied for unemployment since 2003, and has entered information into an online jobs database that people are required to use to demonstrate they’re seeking new employment.
When people file for unemployment, they’re in most cases required by state and federal law to look for work.
“And as part of their regular job search, they have to put their information into the database and they then can use that database to help them find jobs,” says Commissioner of Labor Lindsay Kurrle.
America’s Job Link Alliance has since resolved the security breach, according to Scott. But for anyone who’s used that database since 2003, when the vendor took over the account, the damage may have been done.
"This is appalling and I know this will be incredibly burdensome to the tens of thousands of Vermonters who are impacted." — Gov. Phil Scott
“This is appalling and I know this will be incredibly burdensome to the tens of thousands of Vermonters who are impacted,” Scott says.
Scott says his administration is now working to make sure that America’s Job Link Alliance plays a financial role in mitigating that impact. The company maintains similar databases in 10 other states that have also been affected by the breach. Scott says Vermont and other states are considering any number of options, including legal action.
When first notified of the breach, Kurrle says the state initially believed that personally identifying data was purged from the system after a year.
“Part of what we learned yesterday was that AJLA had not purged those accounts,” Kurrle says.
That means people who used the database more than a decade ago could have had their Social Security numbers stolen as a result of the breach.
Scott says there’s no evidence at this point that anyone’s online identity has been stolen, or that information has been used for nefarious purposes. But he says anyone affected needs to be on the lookout for unauthorized financial activity.
“And we want to make sure that Vermonters who have used this Job Link check their credit rating, and see if there’s been any suspicious activity and report it,” Scott says.
Scott says he wants America’s Job Link Alliance to pay for that credit monitoring. If they don’t, then Scott says he believes the state should incur those costs, rather than consumers.
“We feel that that’s not an obligation that should be borne upon them individually, that the company should provide that,” Scott says.
America’s Job Link Alliance didn’t immediately respond to a request for comment Thursday. Scott says he’s pushing the company to notify any individuals whose data may have been compromised.
In the meantime, Scott says the episode demonstrates the need for heightened cybersecurity precautions in state government and the private sector.
“The state of Vermont has significant work to do to improve our cybersecurity efforts,” he says.
Kurrle says America’s Job Link Alliance will have a hotline up by Friday that Vermonters can call for more information. She says Vermonters will be able to access that hotline through the Department of Labor website.
Update 3/24/17 5:15 p.m. Vermonters that have used Joblink and want more information can now call 844-469-3939. It will operate Monday through Friday from 9 a.m. to 9 p.m. for 15 business days, according to the Vermont Department of Labor.
