Personal data used in COVID-19 unemployment claims exposed in breach

Deloitte's system enabled access to applicants' data.

Corinne Reichert Senior Editor
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News, mobile, broadband, 5G, home tech, streaming services, entertainment, AI, policy, business, politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
Corinne Reichert
2 min read

Thousands of Social Security numbers were reportedly exposed.

Angela Lang/CNET

The personal data of people seeking coronavirus-related unemployment benefits was exposed over the weekend, the Ohio Department of Job and Family Services (ODJFS) confirmed Wednesday. Deloitte, which administers the program, notified ODJFS that about a dozen people were able to view other claimants' data in that state. The data reportedly included thousands of Social Security numbers and home addresses.

Deloitte fixed the issue within an hour, ODJFS said, with the department contacting those who were accidentally given access to others' data.

In a response Friday, Deloitte said "a unique circumstance" allowed three dozen unemployment claimants across Colorado, Illinois and Ohio to see the details of others.

"We are deeply committed to protecting the personal information of our clients and the people they serve," a Deloitte spokesperson added. "The systems were not hacked or externally breached."

"Although there is no evidence of any widespread data compromise, Deloitte is offering credit monitoring to all [Pandemic Unemployment Assistance] claimants for 12 months," ODJFS said.

On Thursday, Ohio residents filed lawsuits against Deloitte for its handling of their data, alleging negligence and poor security practices led to the exposure. The suits, filed in federal court in Manhattan and state court in Ohio, were reported earlier by Bloomberg.

Those seeking unemployment benefits in Colorado were also affected, the state's Department of Labor and Employment confirmed Friday. "On Saturday, May 16th, we were notified of a limited and intermittent data access issue where a handful of individuals within the new Colorado Pandemic Unemployment Assistance application were inadvertently able to view other claimants' correspondence," the department said in an emailed statement. "Deloitte worked swiftly once the unauthorized access was identified and fixed the issue within one hour."

The exposure is the latest headache for unemployment applicants during the coronavirus pandemic. Others who've applied have found that they're victims of identity theft, and that someone else has already claimed benefits in their name, according to complaints to the FTC. On Saturday, cybersecurity writer Brian Krebs reported that the US Secret Service had issued a warning about a Nigerian crime ring using stolen Social Security numbers to apply for unemployment benefits.

The Illinois Department of Employment Security didn't immediately respond to a request for comment.