FRANKFORT, Ky. (WTVQ) – Two state officials questioned the governor’s office Friday over the potential data breach in the state’s unemployment insurance system and why it took so long for the breach to be disclosed.
But Gov. Andy Beshear responded, saying he too wasn’t happy and that’s why he took broad steps this week when he found out about the situation.
In a press release, Attorney General Daniel Cameron and Auditor Mike Harmon called on Beshear and the Education and Workforce Development Cabinet to explain why the administration waited more than one month after receiving a report of a security breach within the unemployment insurance system before disclosing it to Kentuckians whose personal identifying information was compromised.
Cameron and Harmon also questioned why the administration also failed to report the breach to the Auditor’s office and Attorney General’s office within three days as required by a 2014 law.
“Kentuckians have suffered incredible financial hardship as a result of COVID-19, resulting in nearly 40 percent of our workforce applying for unemployment benefits and entrusting their information to our Education and Workforce Development Cabinet,” said Attorney General Cameron. “The Beshear Administrations lack of transparency and failure to promptly notify Kentuckians and our office of the breach suggest carelessness and a disregard for the importance of protecting the personal and financial information of our citizens.”
Beshear announced the breach Thursday, saying the department thought the computer glitch didn’t rise to the level of a breach.
“They didn’t believe it was a breach and when we found out, we disagreed,” said Beshear, who has asked for an outside review by the Inspector General in the Transportation Cabinet.
“I am not happy either. That’s why we’ve taken the steps we’ve taken,” continued Beshear, who also is moving the unemployment insurance department to the Labor Department. “I am not trying to score poltical points, I’m trying to do what’s right. We have been and are going to be transparent.”
Thus far, the state said it has not heard of any information actually being compromised or residents suffering identity theft. Beshear said Thursday if any information was compromised, it would have been a “very small” number.
On May 19, the Attorney General’s Office of Consumer Protection sent a letter to Lt. Governor Jacqueline Coleman, who also serves as Secretary of the Education and Workforce Development Cabinet, stating that the office had learned of a potential security breach.
In the letter, Consumer Protection Director Chris Lewis asked Lt. Governor Coleman to confirm that such a breach had occurred and begin conducting a reasonable and prompt investigation. Lewis also noted that if such a breach had occurred in April, the Beshear Administration had not complied with the law, which requires notification of the breach within three days of its occurrence.
On May 22, Education and Workforce Development Cabinet General Counsel Joanna Decker responded to Lewis letter and confirmed that a security breach had occurred.
Decker provided Lewis with the notification form required by state law. The form, however, was incomplete and conflicted with the letter by stating that such a breach had not occurred. The Cabinet also separately notified the Auditor’s office, with a letter and reporting form containing the same discrepancy.
After separately inquiring about the discrepancy, the Attorney General’s office and the Auditor received a completed notification form, notifying the office of the breach Thursday evening, May 28, only after Governor Beshear announced the breach in his daily press conference.
“As part of our annual audit of the Commonwealths Comprehensive Annual Financial Report, or CAFR, we will be auditing the Unemployment Insurance program. My office will conduct its own inquiry and follow the data to wherever that may lead,” Auditor Harmon said.
The Attorney General and Auditor urge Kentuckians who applied for unemployment insurance between March 1 and April 30, 2020, to monitor their credit and be vigilant against scams.
Federal law permits Kentuckians to receive a free copy of their credit report every twelve months from the three major credit reporting agencies. To take advantage of this free program, visit annualcreditreport.com.
The political overturns of the data breach got even more obvious with a release from the state’s Republican Party, which accused Beshear of “failing” the state.
“While tens of thousands of Kentuckians struggle to get the assistance they need to pay their mortgages and put food on the table, Beshear’s unemployment insurance director spends her time launching insulting partisan tweets, and failing to meet the needs of the Commonwealth,” Republican Party of Kentucky spokesman Mike Lonergan said.
In March, Beshear hired Stefanie Kingsley to oversee the Office of Unemployment Insurance. Since then, Kentucky has been hit with record-breaking unemployment claims due to the COVID-19 crisis.
Instead of focusing her time on ensuring her office meets the needs of Kentuckians, she’s been tweeting partisan insults.
Originally, Beshear charged Lt. Governor Jacqueline Coleman to oversee the Unemployment Insurance Office as part of her role as secretary of the Education and Workforce Development Cabinet. The office is being moved to another cabinet.
“This office is failing in other ways,” continued Lonergan. “Just yesterday, Gov. Beshear finally publicly disclosed a serious cybersecurity breach of the unemployment insurance computer system – despite the fact that it occurred more than a month ago. And last week, Gov. Beshear personally promised to follow up on unprocessed claims of 40 Kentuckians, and yet, according to news reports, less than 25 percent of them have heard back.”
“We’re at a time when the Office of Unemployment Insurance is critical. This office needs real leadership, and it’s time Beshear and Coleman answer why they’ve failed unemployed Kentuckians. They owe it to Kentucky families,” concluded Lonergan.