Cyber attack on WI's unemployment system exposes banking information

For most people, getting paid two days after filing an unemployment claim is a dream come true. But for Donna Fischer in Sheboygan, it was the beginning of a nightmare.

Donna Fischer

"It pretty much destroyed my life," Fischer said.

The unemployment website said Fischer's money was deposited into a Wells Fargo account. However, Fischer says she has never banked with Wells Fargo.

Fischer later received letters from the state's Department of Workforce Development, which oversees unemployment payments. They said a cyberattack gave an "unknown imposter" access to her bank accounts and personal information.

The Department of Workforce Development says Wisconsin was one of several states to detect "unauthorized intrusions of state UI data originating from Japan, South Korea, Russia, and inside the U.S." A spokesperson says the department believes the cyber attack or attacks were able to access 116 active unemployment accounts.

Fischer said investigators told her what happened is called "credential stuffing."

John May

"Credential stuffing is when an attacker uses data from a previous breach at another location," Ontech Systems, Inc., Senior Technical Lead John May said. Ontech provides IT support and cyber security services.

May gave the example of the Yahoo data breach from a few years ago, which gave hackers thousands of usernames and passwords. Someone then plugs those usernames and passwords into other networks, like DWD's IT system, hoping at least a few people used the same combinations as their Yahoo accounts. 

"The hackers aren`t stupid," May said. "They`re going to go for the biggest bang for their buck. And right now, that`s anything having to do with financials...I may only get one or two hits, but if I get one or two hits, those hits are worth potentially thousands of dollars."

Fischer filed for unemployment insurance online, as the state encourages. As a result, her banking information was in her unemployment portal. She says investigators told her the "unknown imposter or imposters" changed her banking information several times so the money would go to them.

When Fischer first reached out to FOX6, her case had been caught up in adjudication for weeks and she had been unable to access a single unemployment payment.

"Eviction notice, plates on my car expired, bill collectors," Fischer said. "I can`t even apply to jobs because I can`t get to an interview...I'm not able to sleep. I'm not able to eat."

Fischer paused to compose herself as she started to cry.

"It`s just a lot of anger," Fischer continued. "A lot of, I don`t know what to do, I don`t know which way to turn."

Security consultants like May say there are things both individuals and organizations can do to safeguard information from credential stuffing. Individuals can ensure they don't use the same password more than once. Password managers, like LastPass, can assist with making that process easier.

May says organizations that house personal information, like DWD, can use password hashing, which is a form of encryption. They can also have protections that require users to set up strong passwords in order to use their sites. Most importantly, May says organizations should use two-step authentication.

Two-step authentication, also known as two-factor authentication or two-step verification, is an extra layer of security that sends an alert to a known email address or phone number when a user tries to sign into a site. 

May says a combination of users avoiding repeating passwords and two-factor authentication would "resolve 90 percent of these types of problems."

"In some cases, it may be just a plug-in to the existing software solution that they’ve got," May said. "In other cases, it may require a total redesign of their security structure."

Fischer says the state's unemployment system never gave her the option to have two-factor authentication, or told her to pick a stronger password. FOX6 asked the Department of Workforce Development about the security tools it uses. A spokesperson said the department has "implemented system enhancements" like geo-blocking, captcha controls, and additional firewall capabilities. DWD also says it has used multi-factor authentication since 2016 -- and password strength spotting on the website where unemployment accounts are created.

After speaking to FOX6, Fischer says the state released some of her unemployment money to the correct account. However, investigators tell her it could take two years to repair the identity fraud damage. She is still in debt, and is now receiving notices that someone set up an unauthorized bank account in her name.

"I have nothing left for you to take from me," Fischer said.

Read the full statement from the Department of Workforce Development below:

Nefarious actors continue to target state UI systems with increasingly sophisticated hacking schemes to access personal information of UI claimants. Wisconsin recently was one of multiple states to detect unauthorized intrusions of state UI data originating from Japan, South Korea, Russia and inside the U.S. We are working with the USDOL – OIG to investigate the multi-state hacking incident and continue to take additional steps to ensure the safety and security of Wisconsin's UI systems.

The Department has been monitoring suspicious activity where it appears a person or persons are attempting to improperly gain access to the Department of Workforce Development's information technology systems since late September. As of 10/19/20, there have been 116 active unemployment accounts that the fraudulent actor(s) may have been able to access. The Department has called each of those individuals directly. When the Department contacts an impacted claimant, the Department works to verify the claimant's identity, as well as his or her contact and banking information to ensure that benefits are distributed properly.

As the Department and many states have warned, fraudsters have been trying to take advantage of the high number of unemployment claims throughout the pandemic through a variety of schemes (see https://dwd.wisconsin.gov/ui/fraud/scams.htm). This type of scheme was first recognized in Wisconsin on 9/21/2020 with a high volume of suspicious activity. The suspicious activity is ongoing, though it has since diminished.

DWD has implemented system enhancements to combat these attacks. Specifically, geo-blocking and captcha controls were put in place and improved scans of access activity are being performed. Furthermore, DWD migrated the systems to upgrade the servers with additional firewall capabilities.   

If a claimant suspects they are a victim of unemployment fraud, they should contact the department in one of the following ways:

Mail us at the following address:

Unemployment InsuranceAttn: Program Integrity P.O. Box 7905 Madison, WI 53707

More information is available on our website at https://dwd.wisconsin.gov/ui/fraud/

DWD is always updating the DWD Fraud website with information for claimants: https://dwd.wisconsin.gov/ui/fraud/

Open Record: A system in chaos

So many FOX6 viewers have reached out to us as they encounter issues with Wisconsin's unemployment system. This episode of Open Record explains why there are so many problems and what the Department of Workforce Development has to say about the situation.

People waiting on unemployment say WI’s system is still chaos

Wisconsin's Department of Workforce Development says more than 590,000 claims are still being processed; those claims belong to roughly 80,758 people. Additionally, DWD says there are 10,596 appeals in process.