A total failure to imagine a likely risk scenario has lost the State of Washington possibly hundreds of millions of dollars to thieves who defrauded the state unemployment agency:
Employment Security Department Commissioner Suzi LeVine says the names of potentially thousands of Washingtonians, many who remain employed, were used to make fake unemployment claims and defraud the state of hundreds of millions of dollars.
The state was hit especially hard in the early weeks of the coronavirus pandemic, as state and federal benefits ramped up to handle the sharp and staggering number of claims.
Commissioner LeVine says she will make sure victim’s rights are protected, and those where benefits were paid out to the criminals won’t be liable for any sort of repayment.
“I will say this again because it’s really important. We did not have a data breach,” said Levine. “And the information was not stolen from us. It was the utilization of stolen information on our site.”
The identity information most likely came from multiple earlier data breaches, including from credit-reporting agencies. Washington State simply didn't authenticate applications properly before disbursing money:
“These are very sophisticated criminals who have pretty robust collections of information on people, and they are activating and monetizing that information,” [LeVine] said.
No, these are, in fact, really dumb criminals who exploited the eagerness of LeVine's department getting money to claimants before employers returned validation letters. And the fact that LeVine and her department's security folks couldn't see this possibility ahead of time means they may not have the skills to do their jobs in the Internet era.