Karl Baker

The News Journal

A breach of a state Labor Department job-seeker database this month put more than 200,000 Delawareans at risk of identity theft after Social Security numbers and dates of birth were exposed, officials said Wednesday.

“Anytime people’s personal information gets out there, it’s reason for alarm,” Delaware Department of Labor Secretary Patrice Gilliam-Johnson said. “But at this time, it’s hard for us to quantify. ... We’re still trying to get to the facts, trying to figure out what this will mean in the long run.”

The database, called Delaware JobLink, connects job seekers with employers and contains information from 253,420 people in the First State. The personal information from 200,201 accounts was potentially stolen.

The database is managed by Kansas-based America’s Job Link Alliance, which also operates jobs software for Alabama, Arizona, Arkansas, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont. Records in those states also were compromised. Delaware has contracted with AJLA since 2007.

The attack – one of the largest into Delawareans' sensitive, private information in history – was carried out after the hacker created a job-seeker account in the system, then “exploited a vulnerability” in the code that underpins the database.

The hacker was able to “view the names, Social Security Numbers, and dates of birth of job seekers,” according to a statement from AJLA.

"We are working both closely and diligently with America's Job Link to arrange a formal notification of this breach to all those impacted and are in the process of setting up a call center to assist us in remedying this matter," Gilliam-Johnson said.

When asked if the vulnerability was a result of negligence, she said it is too early to say.

AJLA Director Christine Bohanan has been hosting conference calls with officials from Delaware and other impacted states, said Jason Clarke, spokesman for the Delaware Department of Technology and Information.

She responded to an email from The News Journal but did not agree to a phone interview.

Clarke said DTI is working with AJLA in an "advisory role." The department has put its emergency cybersecurity team on stand-by, he said.

"The sale of [personal] information is something that is done all of the time" by criminals, Clarke said.

STORY: NCCo paramedics investigated for size of needles used

STORY: Bills would open doors in Delaware to drug treatment

Officials from the FBI and the digital investigations firm RSA are looking into forensic evidence to find out how many job-seeker accounts have been viewed and where those individuals are located, according to an AJLA statement.

No suspects were announced Wednesday.

State officials were first alerted to the hack last week, said Claire DeMatteis, chief of administration at the Department of Labor. But at the time, AJLA said just three states – not Delaware – had been impacted.

Only after outside investigators looked into the breach did its scope become clear, she said.

"Over and over again, they said there was no evidence of a Delaware impact,” DeMatteis said. “It was just this afternoon actually that we learned, in fact, that Delaware was impacted."

AJLA has assured state officials the vulnerability has been eliminated, she said.

"This situation demands that you are skeptical of any information that you receive. But to the best of our knowledge, the application that hacker was able to compromise has been fixed,” DeMatteis said.

Gilliam-Johnson said job seekers should continue to use the Delaware JobLink site.

Anyone fearing their personal information might have been on the job database should monitor credit reports with credit rating agencies, Equifax, Experian and TransUnion, DOL officials said in a statement.

Affected individuals can “issue a fraud alert on their credit reporting so they will absolutely be alerted if there is a problem,” DeMatteis said.

Going forward, Labor Department officials will evaluate if requiring a Social Security number for the Delaware JobLink site is necessary, she said.

“If we can change the system so that a Social Security number isn’t necessarily available," DeMatteis said, "that will be a substantial improvement. Those are the kind of things that we’re looking at."

Contact Karl Baker at kbaker@delawareonline.com or (302) 324-2329. Follow him on Twitter @kbaker6.

PROTECT YOURSELF

Delaware JobLink users may contact credit rating agencies and request a fraud alert or a freeze on their credit file. They also may contact the Internal Revenue Service's Identity Protection Specialized Unit at (800) 908-4490. See identitytheft.gov/databreach for additional follow-up steps. Credit agencies can be contacted at the following numbers:

Equifax, (800) 685-1111

Experian, (888) 397-3742

TransUnion, (800) 916-8800



