Claimants say unemployment system was hacked; DETR says it wasn’t

A warning message flashed on Las Vegan Paul Kovacic Jr.’s computer screen telling him the password to his unemployment insurance account was incorrect.

Kovacic didn’t give it much thought and tried retrieving his password. That’s when everything fell apart.

“As soon as I got in (my account), I go right to the banking page,” said Kovacic, where his benefit payment history and direct deposit information are found. “It said my bank was the Land of Lincoln Credit Union in Decatur, Illinois. None of that’s correct.”

Some jobless Nevadans are having trouble signing into their unemployment account, and for the few filers like Kovacic who regain account access, their personal information such as birthday, mother’s maiden name and the direct deposit account for their weekly benefit payments have all been changed.

Claimants allege Nevada’s employment office has been hacked and that the victims are filers under the Pandemic Unemployment Assistance program, a CARES Act provision giving independent contractors and self-employed workers unemployment benefits.

But an official with the Department of Employment, Training and Rehabilitation said that DETR continuously monitors its systems for possible breaches. “At this time, we are not aware of any data breaches to our system, so that information is not accurate,” DETR spokeswoman Rosa Mendez said in a statement emailed Friday.

“We are aware of several phishing and texting scams that have, unfortunately, resulted in people having their personal information stolen, which is then used to change their claim information,” Mendez said. “In one specific type of attack we have seen recently, scammers are sending a form of phishing attack called typosquatting where a message is sent by email or text stating there is an error in your unemployment claim which links you to employnv.live or several other employnv. site designations. But these links give the fraudsters the ability to see the information the claimants type in.”

Filers who spoke with the Review-Journal said they were aware of DETR-related text and phishing scams and took precautions to protect their information, and some, including Kovacic, have a background in software engineering and cybersecurity.

Compromised accounts mark just the latest in a string of setbacks PUA claimants have faced since they started filing for benefits in May.

Software firm Geographic Solutions said a data breach to the PUA website, EmployNV, hasn’t occurred. The company was hired last year by the department to implement the PUA program.

“It wasn’t a data breach of the system but a data breach of something else,” Geographic Solutions founder and President Paul Toomey said. “What’s happened is these individuals have had a data breach somewhere else like an Equifax and the bad actors have gotten ahold of their information.”

Toomey said the fraudsters may try to use the stolen information to gain access to a person’s account.

While he said claimants should be cautious, the company is continuing to take “a variety of measures to try and prevent someone fraudulent from getting into the system.”

Tipped off

Adam Kowalskii noticed the problem in November. He said his PUA account is fine but noted he learned about the issue because he helped create the Facebook group Nevada-Pandemic Unemployment Assistance, where filers share tips and report problems.

“It was very small, like maybe one or two in November,” he said. “We would just tell them to contact PUA and all of a sudden a couple weeks ago we started seeing more and more. It was like a stampede of people. I feel like it’s not if people are going to get hacked but when people are going to get hacked because it’s getting way too frequent.”

He said last month the Facebook group organizers reached out to Barbara Buckley, who headed the state’s defunct rapid-response team created to help DETR wade through its unemployment issues and claims backlog.

Buckley said the task force was ending just as the Facebook group contacted her about filers whose “data was changed, and they could no longer get in their accounts.”

“I forwarded those immediately to DETR so they could take all appropriate action,” Buckley said in an emailed statement.

The state attorney general’s office said its role with DETR is “attorney-client” when asked if the office was aware PUA filers have had their accounts compromised as well as whether unemployment-related cases were open involving a data breach or wire fraud.

“Unfortunately we can’t confirm or deny the existence of criminal investigations in most cases,” the office said in an emailed statement.

The office suggested filers visit the attorney general’s website to learn how they can protect themselves from fraud, saying, “we have issued many consumer protection releases to educate and assist consumers about protecting their privacy.”

Ripple effect

Las Vegas resident Tasha Rodriguez recalled an email from DETR the night of Nov. 15 saying her user name, password and security information for EmployNV had been updated.

She immediately tried to sign in to her account, but the website could not recognize her information including the last four digits of her Social Security number.

It took two weeks of calling the PUA phone line before she connected with an agent for help.

“In the meantime, whoever hacked into my account had already filed two claims that were paid out,” said Rodriguez, who was told the payments had been issued to a bank in Ohio.

She said DETR’s fraud department froze her PUA account to investigate, but it has been more than one month with no update. She hasn’t received her weekly benefits and hasn’t been able to access her account.

“In the interim of all this happening, I got a non-fraud disqualification and overpayment letter, and I can’t even log on to appeal it and I just received last week the 1099 (tax) link (but) I cannot log in,” she said, adding that she hasn’t received a copy of her 1099-G in the mail.

Rodriguez isn’t the only one missing out on DETR communications.

Kovacic was locked out of his account late October and regained access on Jan. 19 — when he was finally able to get through the PUA phone line.

“I got disqualified from my entire filing going all the way back to March because they sent me a message on Jan. 14 saying send your driver’s license and Social Security card and you got 48 hours,” he said. “You can see which messages changes over to another email address that’s not mine — it goes to my email and then Nov. 17 it starts to go to somebody else.”

Better safeguards

Timothy Wade, cybersecurity firm Vectra’s technical director of the Office of the CTO, said it would not be surprising that PUA filers’ accounts were compromised.

“A lot of these breaches that we read about, the adversaries have been in the network for a long time. Verizon’s data breach report said the average is 100 days an adversary has full run of a network before they get discovered and that’s kind of scary,” he said. “When there’s an opportunity for some kind of direct deposit service to be compromised and redirected that will be targeted.”

The Office of the Inspector General for the Department of Labor said a conservative estimate of improper payments, with a significant amount from fraud, is at least $36 billion of the $360 billion in unemployment benefits under the CARES Act as of Nov. 7, 2020. It also said unemployment insurance investigations by the office now accounts for 70 percent of its caseload, compared with 12 percent before the pandemic.

DETR has not disclosed the amount of improper payments it has made, but the agency told a state Senate Commerce and Labor Committee that it has stopped $2 billion in attempted fraud and recovered $100 million in wrongfully paid claims.

Jessie Martin, who lives in Las Vegas, was locked out of his account last week. He was able to regain access several days later when speaking with a PUA call center agent. The following day his account was accessed again, and he was locked out, he said.

“When you set up everything they make you upload front and back copy of your driver’s license, they make you upload the front and back copy of your Social Security card, your taxes,” said Martin. “These people have complete access to all the information I put in there, basically everything they need to be me. That is my biggest worry.”

A previous version of this story included an incorrect date for a DETR email informing a Las Vegas resident that information on her EmployNV account had been updated.

Contact Subrina Hudson at shudson@reviewjournal.com or 702-383-0340. Follow @SubrinaH on Twitter.