Some Questions Still Unanswered For Editor Who Broke Story On Arkansas' PUA Website Vulnerability

May 29, 2020

Investigations into the Arkansas Division of Workforce Services' Pandemic Unemployment Assistance application website due to a previous security vulnerability are still ongoing.

While the Arkansas Division of Workforce Services’ website where residents can apply for Pandemic Unemployment Assistance, or PUA, is up and running, investigations are still ongoing over a past vulnerability in the site that left the financial data of thousands of Arkansans unprotected in mid-May.

KUAR spoke with Lindsey Millar, editor of the Arkansas Times about breaking the story of the flaw in the website and what followed. Below is the transcript of the edited interview that aired on KUAR.

Millar: "On Friday, May 15, an applicant to Arkansas’ Pandemic Unemployment Assistance Program reached out to the Arkansas Times, I got passed the message and called this person back. It turned out the applicant was a computer programmer and he described that by simply altering the url for Arkansas’s PUA website, he was able to access the admin, the administration portal of the site, where he could see that he could manipulate information."

"From there, he determined that the application program interface, or API, that communicated with the database was available for him to access and it returned unencrypted, personal information, including social security numbers, and bank and routing numbers."

"So that all happened and then we engaged another programmer just to verify and help us understand and make sure we got the technical details right. That took about two minutes for another programmer to verify. Then we immediately contacted the [Arkansas] Division of Workforce Services, which oversees this program to let them know, and then the site was offline within minutes."

KUAR: "So that was Friday, May 15 and so what was the [Gov. Asa Hutchinson’s] reaction to that news?"

Millar: "So on Saturday, May 16, the governor was not supposed to hold a press briefing but did. I’d say probably largely to talk about this issue. He said that there was a criminal investigation into it and framed the applicant as illegally accessing the information."

"Monday, I asked the governor if he had concerns about the broader message that he was sending by framing the applicant, his actions as illegal in terms of encouraging citizens to report web vulnerabilities on state websites, and the governor said well the question is do you see a vulnerability or did you find a vulnerability, I think we’ll let the investigation speak for itself on those points. And that sort of attitude goes contrary to standard practice for security professionals, for data security professionals."

KUAR: "What questions do you still have about this story that you think have been unanswered?"

Millar: "I think there are a lot of questions about the contractor that still need to be answered. Whether any of the work was subcontracted. What were the terms of the RFP? What limitations did the state have in terms of choosing a contractor? And just more information about what the forensic investigation yields in terms of access."