Imagine being an out-of-work independent contractor living in Ohio during this pandemic, anxious and unsure of when you’re actually going to get some financial assistance from the state because Ohio’s unemployment systems are being blown up with regular unemployment claims. Finally you get word that you can now file for unemployment benefits through the new Pandemic Unemployment Assistance program, which was specifically created under the CARES Act for gig workers or partially unemployed individuals who are not eligible for the usual unemployment insurance.
Let’s say you filed your PUA claim and it was accepted. At long last, there will soon be money deposited in your bank account every couple of weeks while you look for work. Then you get this email from the Ohio Department of Job and Family Services:
Dear PUA Applicant:
Deloitte Consulting is currently under contract with the Ohio Department of Job and Family Services (ODJFS) to assist the state of Ohio in administering the Pandemic Unemployment Assistance (PUA) program. Deloitte discovered on May 15, 2020 that your name, Social Security number, and street address pertaining to your application for and receipt of unemployment compensation benefits inadvertently had the capability to be viewed by other unemployment claimants. Thereafter, Deloitte immediately began an investigation and upon discovering the exposure, Deloitte immediately took steps to stop further access to and exposure of your personal information.
At this time, there is no evidence or indication to believe that your personal information was improperly used; therefore, our actions, as well as the actions you may want to consider, are preventative.
As a precaution, you may want to monitor your credit by obtaining a copy of your credit report from one of the three national credit bureaus. Federal law entitles every individual to one free credit report per year from each of the three main bureaus.
Awesome. Just when things were starting to go your way, now you have to worry about some Uber driver who was just laid off possibly knowing who you are, where you live, and the nine most precious digits you own. First, your job was taken from you. Now potentially your identity.
Anyway, Deloitte said it would offer free credit monitoring services to all PUA applicants in Ohio for a year.
But Ohioans aren’t alone. Data breaches also occurred last week in the PUA systems in Illinois and Colorado, exposing the personal information of thousands of claimants. And what’s the common link? Deloitte, of course.
In Illinois, nearly 32,500 PUA applicants had their personal information available for all to see for a short time, according to IllinoisPolicy.org. A small business owner from downstate Illinois, who was on the unemployment site to receive assistance herself, noticed people’s exposed data on May 15 and contacted her local state representative, who then alerted the governor’s office.
In April, Deloitte Consulting was awarded a $22 million no-bid contract (emphasis added because why not bid out a project with this much importance?) by the state of Illinois to build the new PUA claims system and to manage a call center, according to IllinoisPolicy.org.
During his daily COVID-19 press briefing on May 18, Illinois Gov. JB Pritzker threw Deloitte under the bus, essentially saying they built the system, they are responsible for the data breach. In a statement to CBS 2 News in Chicago, Deloitte tried to douse the fire:
We are deeply committed to protecting the personal information of our clients and the people they serve. A unique circumstance enabled one Pandemic Unemployment Assistance claimant in Illinois to intermittently access a restricted page on the state’s website. Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences. The only person to inadvertently access the restricted page is the one who reported it. Out of an abundance of caution, we are providing credit monitoring to those potentially impacted by this issue.
In Colorado, claimants’ personal information on that state’s PUA system was exposed for nearly TWO WEEKS, according to the Colorado Sun:
Deloitte, which provides similar technology to other states, mistakenly gave users privileged functions beyond the role of a regular claimant. It allowed users to search and potentially see another claimant’s “correspondence,” which could include a name and Social Security number.
The search function was enabled from May 2 to May 15, at which time Deloitte discovered the problem and blocked it from occurring again. The company told the state that according to its logs, during the two-week period only six people saw the searchable screens.
All six people have been contacted. There is no evidence that those users searched other accounts, according to the vendor’s logs.
The 72,000 people in Colorado’s PUA system were offered 12 months of free credit monitoring by Deloitte.
Fortunately, as of right now, all three of these data breaches haven’t turned out to be a horrible nightmare for the unemployed workers whose names, addresses, and SSNs were accidentally exposed, but it still has to be pretty nerve-wracking for them.
Between these three PUA system data breaches and the pile of junk it built to handle unemployment claims in the state of Florida, Deloitte Consulting’s reputation must be taking a bit of a hit, right? But don’t worry, Uncle D. will again be ranked among the top consulting firms to work for in the U.S. because of the culture, people, work/life balance, or whatever.