Categories
Uncategorized

Washington DOL victimizes ESD breach victims

On February 1, 2021, Washington State Auditor Pat McCarthy announced that personal information of about 1.4 million people in the Employment Security Department system had been snagged by unknown persons. The data breach was not from the ESD system. Rather, the Auditor’s office was transferring the data through a file transfer service provided by Accellion, a foreign-owned corporation based in California. The Auditor’s office (recklessly) did not first encrypt the data, which would have made any breach no big deal. The Auditor’s office was transferring this data as part of a fraud audit. The fraud audit has now greatly increased the potential for fraud against 1.4 million people.

The Auditor reported in a Legal Notice the following data had been exposed:

“These ESD data files contained unemployment compensation claim information including the person’s name, social security number and/or driver’s license or state identification number, date of birth, bank account number and bank routing number, and place of employment.”

Two steps an ESD victim can take are to 1) replace the WA State driver’s license (or ID card) number and 2) change bank account number.

Based on information as of February 11, 2021, changing the license number does not cost, but to get a license with the new number does incur a charge. More on how DOL victimizes the victims below.

Changing DOL number for Driver’s License or ID Card

The Department of Licensing is giving out confusing, if not contradictory, information about changing the DOL number on driver licenses and ID cards. For example, DOL spokesperson Christine Anthony said:

” We’re not certain at this time [February 9, 2021]if information from our agency [DOL] was part of the data breach. “

However, the Auditor’s Legal notice of February 1, 2021 included this:

“These ESD data files contained unemployment compensation claim information including the person’s name, social security number and/or driver’s license or state identification number, date of birth, bank account number and bank routing number, and place of employment.”

Some DOL telephone representatives are saying the license number can be changed and some are saying the license number cannot be changed.

One victim did get a new drivers license number without charge, but was then told to purchase a replacement to get the physical driver license card.

Customer Service Specialist Rachael Houskeeper reports that “We are currently assisting customers in changing their license numbers (including ones that start with WDL) due to the ESD breech and you do need to purchase that replacement.”

Spokesperson Christine Anthony says “We simply do not have the ability to waive required fees for replacement licenses” after a new number is issued for the license.

Apparently the inability refers to State law RCW 46.20.200 that sets the replacement rates.

The Department of Licensing has repeatedly informed this writer that replacement would be $20.

The $20 charge — in the opinion of this writer — violates RCW 46.20.200(2).

RCW 46.20.200(1) applies to “lost or destroyed” and “duplicate”. Lost
or destroyed is not the same as valid, but exposed through breach
while in State custody. A change in DL number means it cannot be a
duplicate, therefore (1) does not apply.

Paragraph (2) says “or correct material information”. Change of driver license number could be considered a correction of material information. In any case (1) does not apply and (2) sets a fee of $10, not $20.

The Governor should make a proclamation to waive the fee for victims. Or. the State Auditor should reimburse the cost of replacement. [The State Auditor was asked if reimbursement will be provided. No response as of February 12, 2021.] Or, the elected representatives to Olympia should pass a law to help the victims.

Aside from any inaction by elected leaders, why is DOL insisting the charge must be $20? More money! Further victimize the victim.

As of this writing [February 11, 2021], DOL has NOT put up a web page to clarify the process or the fees to get a new license number and replacement card for the victims of the data breach. The Washington State Auditor has only provided generic suggestions. This author agrees with the author of the editorial titled “Analysis: Washington state’s response to data breach affecting 1.4M people is stunningly callous“.

Putting up a web page would certainly reflect the seriousness of the breach, streamline the process, and getting everyone on the same page.

Senator Jim Honeyford said on February 12, 2021:

“1.  I proposed in Ways and Means that we should be helping the victims to at least be able to check for fraud.  I didn’t receive any support and am exploring to put that into a bill.
2.  I support issuing new DOL numbers.
3. I  would support a [DOL] web page with helpful information on how to deal with the impacts of this breach.”

For those who want to proceed, here’s the procedure one person used to obtain a new driver license number number WITHOUT COST. However, per comments above, DOL is charging for the actual license [as of February 11, 2021] that would show the new number.

Visit this page first:

https://www.dol.wa.gov/driverslicense/replacelostlicense.html

Make sure you do NOT have any restrictions.

Call the DOL customer service number: 360.902.3900, then this sequence to get to a person:

1 for english

2 to replace

1 replace

0 for customer service person

last four of SS# and data of birth

press 1

enter last 4

8 digit date of birth

12345678

stay on the line

Explain that you are victim of the breach of ESD data in the custody of the Washington State Auditor and that you want a new license or ID number.

Changing Bank Account

These instructions are for direct deposit, which is most common.

General tip on direct deposit. One claimant had the foresight to use a bank and bank account number that was used for nothing other than direct deposit of ESD payments. Once payment arrived, the claimant did a transfer to another bank. Because of this foresight, the damage from any breach was already limited because isolation from the other bank used for the day-to-day activities.

Work with your bank or credit union to create a new account so you have a new account number. Once you have the new account number, you need to update the ESD system.

Log into the ESD system and click on settings in the upper right.

Then look for and click on “Update payment information”

Click on Direct Deposit.

Click on Yes for “I am granting the Unemployment Insurance Agency permission to credit my account.”

Then enter your name (as it appears with the bank)

Choose bank account type

Add the routing number

Enter name of the bank (if not auto-populated)

Enter the account number

Enter the account number again in the confirmation field.

Categories
Banks

BECU.org Travel Issue

BECU.org invites members to report their travel to help alleviate problems with remote card purchases.

However, the signup page includes this section that leaves a customer knowing what to do. The BECU site uses “dates” and “date” above the form. Which is it? Are the two fields for two departure dates (suggested by “dates” or is the second one for a return date (suggested by “date”?

This is an example of bad user interface that confuses and frustrates a customer — and likely leads to phone calls for clarification.

Another BECU issue: BECU Hypocrisy on Security

Categories
Retail Email

Wonky Walgreens

Part of customer service these days is to accomodate customers. Seems like a no-brainer. Walgreen’s, however, has moved into the wonky concept of customer service when it comes to unsubscribing from email promotions.

I’ve unsubscribed several times over the past several weeks. And I still get their emails. The second to last time I tried to unsubscribe I got a message that my email address was not in the database. See image below.

Even though not in the database, I’m still getting emails. On January 8, 2021, I try again, and now I get a page to unsubscribe where the unsubscribe button is grayed out, meaning the button is not active.

Walgreen’s concept of customer service is wonky, to say the least. My option now is to start a) marking all emails from Walgreens as spam, hoping Walgreens’ email server gets blacklisted or b) make daily visits to the manager of the local Walgreens so that he or she can get on the phone with the corporate office. Oh, I guess there is one other option in Washington State: sue Walgreens for non-compliance with the unsolicted email law.

Update 2020-01-14: Called Walgreen’s customerNONservice again today and asked to talk with the IT department. Said they would have to have someone call me back. I gave my number and guess who called? A Walgreen’s Customer Service Robot! I guess that is the definitive action that Walgreen’s sees customers as impersonal money machines.