Early one morning, Heather Williams got an email asking her to confirm the email she had used to sign up for Maryland’s unemployment benefits portal.
But there were three major problems: Williams is employed. She lives in Canada. And she has never applied for unemployment benefits in Maryland.
Williams didn’t click the “activation link” in the email, but she still received another email moments later with a username, and then another with a temporary password, for her to use to log in to the portal, BEACON 2.0.
She did so and, lo and behold, it let her into the account without asking any security questions or otherwise confirming that she was the account’s owner. Nor did it ask her to change the temporary password, despite the email containing the password stating that, “when you access the site, you will be prompted to change your temporary password and set up responses to various security questions.”
“I tried it twice,” she said. “It didn’t ask me to set up security questions, nothing.”
Once inside BEACON 2.0, she had access to the account owner’s address and birthday, as well as pages where she could alter her payment information and tax information.
“I kind of stopped at that point. I wanted to confirm, what can I get into here, is this a real thing? Looks like it, there’s information here, it has all these specifics,” she recalled. “(It felt) not right.”
The mixup comes as the state of Maryland continue to grapple with thousands of unemployment claims each week. Many of these claims are apparently fraudulent, with nearly 65% of the claims made between Jan. 1, 2021 and February 11 being flagged as such; at the same time, many legitimate claimants have struggled to receive unemployment payments, including those who were erroneously denied benefits or whose accounts were incorrectly flagged as fraudulent.
More recently, some recipients were confused and frustrated when the button that they typically used to send in their weekly claim certification was missing, only to later find out that they had to reapply for benefits.
A spokesperson for Department of Labor said that someone had used Williams’ information when signing up for benefits, hence why she received the username and password. The department has now locked the account and flagged it as fraudulent; the owner will have to upload identification to verify whether or not it is fraudulent.
It’s unclear why the account’s owner, whether fraudulent or not, used the wrong email. Still, Williams is used to getting messages meant for other people, from order confirmations to divorce papers, due to her common name and generic email address.
She’s gotten used to ignoring most messages, unless something particularly sensitive comes into her inbox. In those cases, she tries to contact the other Heather to let them know what happened, but she wasn’t able to this time; the owner of the BEACON 2.0 account didn’t have a phone number listed in her account.
Williams wishes that there had been more guardrails in place to prevent her from logging into another person’s unemployment portal. She works in clinical research, a field that highly prioritizes a subject’s privacy, so she was especially surprised by how poorly protected the account owner’s information was.
“As it stands, this is the sloppiest IT implementation of security that I’ve seen in a very long time by a government body,” she said.
Experts at the Baltimore-based cybersecurity firm ZeroFOX, which has done research on CARES Act fraud and cybercrime, said that governments working with especially sensitive information can protect users’ data using the same best practices that any organization would.
“In particular, we’d expect to see defensive mechanisms like multi-factor authentication, encryption of data in transit and at rest, and robust network and cloud security controls in most modern systems,” said Sam Small, ZeroFOX’s chief security officer.
In this particular instance, “challenging email recipients to verify their identity by supplying personal data for validation can also help alleviate misidentification risks, e.g., by asking users to provide a recent phone number or a portion of their Social Security number,” he continued.
A spokesperson for the Department of Labor described how users’ information is protected, stating in an email that, “the information entered by the claimant during the initial unemployment insurance claim application process and subsequent actions within the BEACON 2.0 system is safe and secure. BEACON follows the industry standard of securing and encrypting all data while at rest and in transit.”