(TNS) — The fired former director of Kentucky’s unemployment office told a panel of lawmakers Tuesday that officials at the Education and Workforce Development Cabinet failed to quickly respond to reports of a data breach in the state’s unemployment system in April.
Muncie McNamara — a non-merit staffer who donated to and volunteered for Beshear’s campaign and was hired to run the unemployment office in December — was fired in May after months of backlogs in the state’s unemployment system as a record number of Kentuckians filed jobless claims because of COVID-19.
His testimony comes as the state still struggles to process the staggering amount of jobs claims and after reports of a second data breach Monday that officials said did not put anyone’s financial information at risk.
McNamara said officials did nothing about an unemployment data breach that allowed some people who logged onto the system to see other people’s sensitive information for at least a day.
“The April 23rd one was the one that got everyone’s attention,” McNamara said. “But I was made aware of a possible data breach the day before that.”
McNamara said he forwarded an email expressing concerns to the head of IT and Josh Benton, then the deputy secretary of the Education and Workforce Development Cabinet, and did not get a response.
An Open Records Request asking for emails alerting Benton of a data breach did not turn up an email from McNamara to Benton. It did, however, produce an email from April 23rd with the subject line “Holy Cow Security Issue.”
In the email thread, which alerted unemployment office administrators at 9:17 a.m. on April 23 of the data breach, a staffer named Jennifer Combs indicated that this wasn’t the first time the problem had occurred.
“Someone in Slack said this is not the first time this has happened and they have just told them to delete the documents. However, that doesn’t feel right to just delete them and move on especially if this is a repeat issue,” Combs wrote.
Another email showed the technology office had fixed the issue by 1:11 a.m. on April 24.
When asked about the referenced Slack message in June, J.T. Henderson, a spokesman at the Cabinet for Education and Workforce Development, said the only “verifiable” claims came on April 23.
“We do know there were no verifiable reports of similar issues prior to April 23,” Henderson said.
However, the cabinet notified anyone who may have been exposed, which was 53,029 people who filed claims between March 1 and April 23.
“We believe the number of people whose information was actually viewed is low, but we cannot definitively state how many people’s information was exposed. Almost two months later, we have seen zero instances of people’s information being compromised,” Henderson said in June.
Rep. Savannah Maddox, R-Dry Ridge, said the breach was evidence that the administration must work to restore public trust.
“Generally speaking, this whole situation has added insult to injury in so much we have so many folks across the commonwealth who have waited great lengths of time to receive their unemployment benefits,” Maddox said.
Sen. Karen Berg, D-Louisville, however, took issue with the fact that McNamara didn’t do more to draw attention to the data breach.
“In my world, had I been aware of a data breach in my system and went home that day without knowing that the system had been shut down, I would have been committing a crime,” Berg said. She was cut off by Rep. Russell Webber, R-Shepherdsville, the chairman of the Joint Interim Committee on Economic Development.
Webber stressed before the testimony that McNamara was testifying as part of a “fact-finding” mission and that it was “not political.” Berg, who was recently sworn into office after winning a special election, was the only Democratic lawmaker allowed to question McNamara.
©2020 the Lexington Herald-Leader, Distributed by Tribune Content Agency, LLC.