Mike Donaghue reports:
The Vermont Department of Labor has determined a now-former employee improperly obtained “personally identifiable information” including names and Social Security numbers from its unemployment insurance program database.
A criminal investigation into possible identity theft is underway, officials said. At least 80 people are affected by the breach. Also at least seven businesses have been compromised, officials said.
Read more on The Burlington Free Press.
A notice posted on the Department of Labor’s website earlier today, reads:
Unauthorized Acquisition of UI System Information Leads to Investigation and Privacy Breach Notifications
The Vermont Department of Labor (VDOL) has identified an intentional, unauthorized acquisition by an employee of “personally-identifiable information” from its unemployment insurance program database. The now-former employee had access to such information because her regular work duties required her to utilize the department’s UI system; however, the department does not permit any employee to copy, transfer (by hard copy, electronic/downloaded transfer, or any other means), disclose or retain such data for any purpose unrelated to the department’s business. The Department has confirmed that none of its computer systems were breached.
The Department identified that the employee had acquired data from the UI system on February 24, 2015 and immediately requested that the Vermont State Police initiate a criminal investigation. Through a search warrant issued on the employee’s home, the State Police seized copies of documents and personal computer devices to begin a thorough review of any possible usage of the unauthorized acquisition. The Labor Department also reported the breach to the Vermont Attorney General’s Office, the Department of Information and Innovation, the Department of Human Resources, USDOL, and the Internal Revenue Service.
Although the State Police’s criminal investigation is continuing, the following preliminary findings are now known:
At the present time, 39 individuals’ names and social security numbers, and an additional 41 social security numbers not associated with names, have been identified as improperly in the possession of the now-former employee in copies or electronic files. Seven employers’ Quarterly C101 Wage Reports were improperly accessed, but no Federal Employer Identification Numbers appear to have been involved.
Vermont State Police are still examining the material seized in the search, including data on the employee’s home computer and from her internet provider, but have not yet identified any transfer of data to other persons or entities. Given this information, the Vermont Department of Labor, at this time, believes that the risk of identity theft arising from this incident is minimal.
However, in accordance with state law and USDOL protocol, all affected persons and employers identified in the investigation will receive a written notice from the VDOL alerting them that their personal information was improperly accessed. Letters will be sent no later than March 28, 2015. The letter encourages individuals affected by the unauthorized access to take the following steps:
- Call the Department of Labor if they have questions regarding this matter at 802-828-4301.
- Check for information posted on our website at http://labor.vermont.gov – see our Home page.
- Conduct credit monitoring, as recommended by the Vermont Attorney General’s Office, at
https://www.uvm.edu/consumer/?Page=idtheft.html
The Vermont Department of Labor continues to review all safeguards related to the disclosure of employer and worker information collected and used by the Department. The Department will review its procedures and policies already in place prohibiting unauthorized acquisition of such data and will take any additional steps identified to strengthen its protection.
The Burlington Free Press has additional details on the identity of the employee and the investigation.