Security problem could affect 130K Ohio unemployment seekers

A security problem potentially exposed the personal information of about 130,000 laid-off Ohioans who have applied for pandemic unemployment assistance.

Some local community members, like 39-year-old Dayton resident Autumn McGill, were notified on Wednesday that their information may have been compromised.

McGill said she is very frustrated, partly because she has waited about two months for her unemployment benefits to be approved, but the first and only message she received from the state is about the security failure.

“This is unacceptable,” she said. “That’s the one place you should be able to put your information in safely and not have to worry about things like this.”

Coronavirus: Complete Coverage by the Dayton Daily News

Deloitte Consulting, which is developing the state’s pandemic unemployment program, says it inadvertently gave multiple unemployment-compensation seekers unauthorized access to other applicants’ personal information, including their Social Security numbers.

Deloitte Consulting fixed the problem and has agreed to take immediate steps to prevent unauthorized access in the future, the state said. Deloitte is offering a year of credit monitoring for all people who have filed claims for benefits.

“We are deeply committed to protecting the personal information of our clients and the people they serve,” Deloitte said in a statement. “The system was not breached.”

The company said about unemployment assistance claimants inadvertently were given access to a restricted page when logged into the state’s online platform.

Within an hour of learning of the issue, Deloitte said it identified the source of the problem and stopped the unauthorized access.

The Ohio Department of Job and Family Services says about two dozen people had access to other applicants’ information for about an hour, but there is no evidence of a widespread data compromise.

On Wednesday, Job and Family Services sent messages to unemployment seekers saying on May 15 their names, Social Security numbers and street addresses accidentally were viewable by others.

The message encourages applicants to monitor their credit and obtain a copy of their credit reports.

“At this time, there is no evidence or indication to believe that your personal information was improperly used; therefore, our actions, as well as the actions you may want to consider, are preventative,” the state’s message says.

MORE: Homeownership up in Ohio. But will it last after the pandemic?

The state told applicants that Deloitte would offer free Experian IdentityWorks identity protection services for the next 12 months.

McGill, who is an investigative research analyst, said she learned on Wednesday that an unknown individual did a credit check through TransUnion.

She believes her personal information once again could be compromised. She said her information was stolen and misused after past data breaches, including one involving T-Mobile.

McGill said this security failure is a debacle and free credit monitoring does not make up for the headache and hardship this mistake could cause. She said she already has credit monitoring in place from past incidents.

>> Answering key questions about the economic crisis: Have we hit bottom yet? 'Far from it'

“They say, ‘We’ll give you some identity protection,’” she said. “What are you going to protect me from? Someone has all of my information again, and you gave it to them.”

McGill said she’s spent thousands of dollars on identity protection services and repairing her credit in recent years after her identity was stolen.

Credit monitoring is not going to help if personal and financial information has fallen into the wrong hands, she said.

“Go ahead and monitor my credit — whoop-de-do da,” she said. “That’s not going to stop somebody from using it.”

>> Coronavirus: Will workplaces ever be the same?

There’s no excuse for this carelessness, and hopefully this won’t ruin too many people’s credit records, she said.

The Ohio Department of Job and Family Services says applicants can arrange to have a fraud alert put on their consumer credit files by contacting one of the national credit bureaus.

Fraud alerts typically last 90 days but can be renewed.

Ohio law allows residents to put a security freeze on their credit reports by EquifaxExperian or Transunion, the state said.

Credit reporting agencies may charge a fee of no more than $5 to freeze and unfreeze credit reports, the state said.

About the Author