|
 Unemployment benefits are being hijacked in Illinois, and
victims say the thieves have penetrated Illinois Department of Employment
Security computers.
That’s according to Warren Winston, a contract pharmacist who has been the
victim of account hijacking on four different occasions. He’s worked closely
with IDES since April to combat hijacking attempts on his account that cost him
$3,262 in unemployment payments. The latest successful theft was in mid-July.
According to a complaint he later filed with the state, Winston reported the
instances of fraud in his account to IDES after the first hijacking. He updated
his banking information and changed passwords.
Despite changing this information and putting IDES on notice to watch for future
hijacking attempts, scammers stole benefits from his account three more times.
The unemployment agency never intervened.
“Somebody robs a bank in Pittsfield, and the cops get there in five minutes,”
Winston said in an interview with the Chicago Tribune. “Somebody robs a bank in
IDES, and nobody does anything about it for three months. It’s unthinkable.”
 In his complaint to the Illinois Attorney General, Winston theorized the state
system, not his computer, had been hacked by criminals. He wrote: “This should
be given the highest priority by all authorities.”
Winston is one of hundreds of Illinoisans reporting that unemployment benefits
never reached their accounts, according to records obtained from IDES by the
Chicago Tribune.
Now, state lawmakers are questioning the efficacy of state cybersecurity after
other repeat hijacking victims suggested scammers could have compromised IDES
systems.
While IDES reportedly continues to address the evolving fraud, the agency
declined to explain why it has been unable to stop repeat theft from the same
accounts, even after the fraud was identified.
The rise of account hijacking cases in Illinois accompanies a growing wave of
unemployment fraud that has swept through IDES since the early months of the
pandemic. IDES exposed Social Security numbers and other personal information of
nearly 32,500 unemployment applicants when a new system went online to handle
claims from self-employed and gig workers, leading to multiple lawsuits by
applicants who had their identities stolen.
Cybersecurity experts estimate the flood of imposter fraud, where criminals file
fake claims in the names of real people, likely cost the state more than $1
billion.
But unlike imposter fraud, account hijackings occurs when a criminal reroutes a
real unemployed person’s payments to a new bank account for their personal use.
[to top of second column] |
This requires hijackers to access IDES systems and
change financial information in residents’ accounts, raising
questions on how scammers are bypassing state cybersecurity
measures.
So far, IDES has suggested the fault rests with claimants who were
likely scammed out of their account login information.
Senate Republicans took up the charge July 29, calling for a broader
audit of IDES and accusing Gov. J.B. Pritzker’s administration of
trying to hide the scope of the issues.
IDES has declined to share figures with the public
on how many Illinoisans reported being robbed of their benefits
during the pandemic and how much money was stolen. Additional audits
of IDES by federal officials revealed the state agency was late to
adopt free security tools that could have protected thousands of
residents against fraud.
“If you look at the state of California, a blue state, they’re
releasing unemployment fraud information,” state Sen. Jason Plummer,
R-Vandalia, said at a news conference. “If you look at red states
like Kansas, they’re doing the same.”
That sentiment was echoed by state Rep. Lamont Robinson, D-Chicago,
the chairman for the Illinois House Committee on Cybersecurity. He
also called on IDES to release more information, saying politics
should not get in the way.
“Look, the cat’s out of the bag,” Robinson said. “The director knows
she has an issue. The governor knows it’s an issue. I don’t think
anybody’s hiding anything.”
Robinson said he, too, would support a deeper audit if he felt the
issues were not being adequately addressed by IDES. One industry
expert told Robinson’s committee the solution for a majority of
IDES’ woes is relatively cheap and simple: a security protocol
called multi-factor authentication.
“Account takeover is 10-year-old stuff,” said Haywood Talcove, an
executive with LexisNexis Risk Solutions who testified before the
cybersecurity committee. “It shouldn’t be happening anywhere.
There’s no excuse for it.” That security measure, long employed in the private sector, requires
people to enter their passwords, then confirm their login with a
separate code temporarily sent to one of their personal devices.
Talcove warned lawmakers in July that scammers who made a fortune
defrauding the state are not going to stop with unemployment
benefits.
Illinois Attorney General Kwame Raoul reported spending over $2.5
million to combat a ransomware attack that crippled his office in
April. It might have exposed gigabytes of confidential and personal
records, and parts of his website remain offline.
Despite calls from both Democratic and Republican lawmakers to make
the full extent of state unemployment fraud public, IDES continues
to ask patience of Illinoisans. Too bad scammers won’t wait. |
