Gov. Phil Scott and Labor Commissioner Lindsay Kurrle
Gov. Phil Scott announced Thursday that a data breach at a state contractor affects far more Vermonters than initially thought.
The breach happened at a private firm called America’s Job Link Alliance, which contracts with Vermont and nine other states to provide a database for job seekers and employers. Under state law, anyone who applies for unemployment benefits — unless they have a firm return-to-work date within 10 weeks — is required to register with JobLink and regularly use the site to search for work.
Scott said the personal data — name, address, birthdate and Social Security number — of all applicants may have been compromised, going all the way back to the year 2003, when the state began contracting with AJLA. That’s a total of 180,000 applicants in Vermont.
“We initially thought that the breach was on a smaller scale,” Secretary of Labor Lindsay Kurrle said at a Thursday afternoon Statehouse press conference with Scott.
Kurrle said the state had previously believed that accounts that had not been used within the past year had been deleted.
“Part of what we learned throughout, well, yesterday, was that AJLA had not purged those accounts. That does not mean 180,000 people, because somebody could be in there 10 times,” she said. “They might create a new record every time.” She said it’s not known exactly how many individual Vermonters were actually affected.
It could have been worse. JobLink is a “standalone” system for Vermont. The other nine states allowed JobLink to interact with state systems, so their breaches are potentially much larger.
According to Scott, the failure to purge old records may expose AJLA to a lawsuit seeking damages and restitution for those who suffer the theft of personal data, including free credit checks.
The good news? So far, there have been no reports of actual theft or fraud resulting from the breach. “There’s just the potential that is there,” said Scott. He urged anyone who believes they were victimized by the breach to contact state officials immediately.
Kurrle said that AJLA first noticed “suspicious activity on or around March 12.” The firm immediately launched an investigation and called the FBI. “It has not been very long in terms of cyber-breaches,” added Kurrle, meaning that actual theft of personal data may still happen in the future.
The Labor Department’s website features a “Frequently Asked Questions” document provided by AJLA. There will also be a toll-free number with actual human staffers starting Friday.
Scott says no decisions have been made on lawsuits or any other action. “We’ll look at the provisions of the contract and see what recourse we have,” he said. “But we want to make sure we’re taking care of business first.”
Scott was asked if the state has an obligation to hold Vermonters harmless if AJLA fails to do so, since applicants were required to use JobLink.
“I do believe that we have an obligation, because this wasn’t something they sought to utilize on their own,” the governor replied. “So I do think we have some obligation to do something. We’ll be investigating that. I am confident we will have some recourse with the company.”
He also took the opportunity to plug his administration’s digital initiatives, including creation of an Agency of Digital Services. “The fact is, digital threats can come from anywhere,” he said. “The State of Vermont has significant work to do to improve our cybersecurity efforts.”