Massive Joblink Breach

Officials  in ten states including Vermont, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine and Oklahoma have all reported a security breach which has accessed the information of the states’ job seekers.  The third party vendor, America’s Joblink Alliance, which operates the Joblink nationwide database has notified the states that the job seeker service had been compromised by malicious software.

While the full scope of the  breach is not yet known, the AP says it’s unknown whether social security numbers were breached, and that officials advise all system users to review bank, credit and debit accounts. IT security experts from Prevalent, VASCO Data Security and NuData Security commented below.

Jeff Hill, Director of Product Management at Prevalent:

“One challenge we encounter when working with companies developing vendor risk management programs for the first time is the simple task of identifying all their vendors.  On the surface, it sounds absurd, but modern organizations utilize myriad services that, at first glance, don’t conform to the conventional notion of a vendor.  The Vermont Labor Department breach and other Joblink Alliance users highlight one example:  a service embedded in the organization’s website.  If we were to ask the vendor risk management team – assuming one exists – at the Vermont, Arkansas or Main agency to list their most critical vendors, it’s unlikely a JobLink would be top of mind.  As these states’ Departments of Labor learned the hard way, sometimes the riskiest vendors are the most obscure.”

Brad Keller, JD, CTPRP, Sr. Director 3rd Party Strategy at Prevalent:
.
“Certainly there is still much more to be revealed about the breach, but one thing is quickly reinforced – breaches may occur at vendors that a company has never identified pose a risk or which needs to be assessed.  Companies need to take a broad look to determine all of the places outsourced risk could strike.”

John Gunn, CMO at VASCO Data Security:

“It is entirely unacceptable that organizations such as this are allowed to violate the public’s trust by not properly securing critical identity information. This is adding injury to misfortune – not only are these people out of work, now they have to worry about identify theft for the rest of their lives. The final insult is the referral to credit monitoring services where the victims can pay for ID theft protection.”

Lisa Baergen, Director of Marketing at NuData Security:

“While the full scope of the breach is not yet known, what is known is that targeting vulnerable job seekers is awful, and that any breach of personal and/or financial information such as this is of significant concern.

“Whenever such personally identifiable information (PII) is compromised, the looted data may well be cross-correlated with details from other breaches and social platforms to create comprehensive identities that are more valuable to hackers, rendering the victim susceptible to fraud.

“As a society, we’ve reached the point where every organization entrusted with PII should be constantly testing and hardening its external and internal defenses, and embracing more proactive, effective levels of defense such as consumer behavior analytics solutions, which can constantly validate legitimate users – even when the stolen but accurate credentials are presented. That would be the best way to help prevent the sorts of deceitful transactions and identify theft that otherwise may lie ahead for these unfortunate JobLink victims.

Some will be offered free credit monitoring, which can do little if anything to stop thieves from stealing your identity. One tool that consumers can use to protect themselves is to apply a credit freeze, also known as a security freeze. Legislation in the US and UK enables consumers to freeze their credit at the credit bureau level. If you are a victim of identity theft, this is often offered gratis. Otherwise there can be a freeze and thaw charge. A freeze can be applied online, but must be done with all three bureaus, and will effectively prevent any new credit issuance. Anyone attempting to apply for new or additional credit will have the transaction sent for manual review and declined until the consumer unlocks the freeze (thaws the lock), essentially locking out any potential creditors from being able to view or “pull” your credit file.”