America’s JobLink (AJL), which works with state governments to provide information to job seekers across the United States, recently acknowledged that a hacker exploited a vulnerability in its application code to view the personal information of job seekers across 10 states.
The information exposed includes the names, Social Security numbers and birthdates of job seekers in Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont. According to the Idaho Department of Labor, as many as 4.8 million accounts may have been compromised nationwide.
On February 20, according to AJL, a hacker created a new account, then exploited a vulnerability in order to access other job seekers’ information. America’s Job Link Alliance – Technical Support (AJLA-TS) said in a statement that it first noticed unusual activity on March 12, and confirmed the breach on March 21st.
The organization is working with law enforcement to identify the attacker, and has contracted a forensic firm to determine which job seeker accounts were affected. “The firm has verified that the method of the hacker’s attack has been remediated and is no longer a threat to the AJLA-TS system,” AJL stated.
Lisa Baergen, director of marketing at NuData Security, told eSecurity Planet by email that whenever personally identifiable information (PII) like this is compromised, the stolen data can be cross-referenced with data from other breaches to present an even greater threat.
“As a society, we’ve reached the point where every organization entrusted with PII should be constantly testing and hardening its external and internal defenses, and embracing more proactive, effective levels of defense such as consumer behavior analytics solutions, which can constantly validate legitimate users — even when the stolen but accurate credentials are presented,” Baergen said. “That would be the best way to help prevent the sorts of deceitful transactions and identify theft that otherwise may lie ahead for these unfortunate JobLink victims.”
According to the results of a recent survey of 4,268 IT and IT security practitioners worldwide, 69 percent of respondents said some of their organization’s existing security solutions are outdated and inadequate, as a result of which just 39 percent of respondents said their organization has the security technologies to adequately protect information assets and IT infrastructure.
The survey, conducted by the Ponemon Institute and sponsored by Citrix, also found that just 32 percent of respondents are confident their employees’ devices are not providing criminals with access to their corporate networks and data.
Just 48 percent of respondents said their organization has security policies in place to ensure that employees and third parties only have the appropriate access to sensitive information — and only 37 percent of respondents said their organization is highly effective in using access control and multi-factor authentication to protect sensitive data.