Category: Uncategorized

On February 1, 2021, Washington State Auditor Pat McCarthy announced that personal information of about 1.4 million people in the Employment Security Department system had been snagged by unknown persons. The data breach was not from the ESD system. Rather, the Auditor’s office was transferring the data through a file transfer service provided by Accellion, a foreign-owned corporation based in California. The Auditor’s office (recklessly) did not first encrypt the data, which would have made any breach no big deal. The Auditor’s office was transferring this data as part of a fraud audit. The fraud audit has now greatly increased the potential for fraud against 1.4 million people.

The Auditor reported in a Legal Notice the following data had been exposed:

“These ESD data files contained unemployment compensation claim information including the person’s name, social security number and/or driver’s license or state identification number, date of birth, bank account number and bank routing number, and place of employment.”

Two steps an ESD victim can take are to 1) replace the WA State driver’s license (or ID card) number and 2) change bank account number.

Based on information as of February 11, 2021, changing the license number does not cost, but to get a license with the new number does incur a charge. More on how DOL victimizes the victims below.

Changing DOL number for Driver’s License or ID Card

The Department of Licensing is giving out confusing, if not contradictory, information about changing the DOL number on driver licenses and ID cards. For example, DOL spokesperson Christine Anthony said:

” We’re not certain at this time [February 9, 2021]if information from our agency [DOL] was part of the data breach. “

However, the Auditor’s Legal notice of February 1, 2021 included this:

“These ESD data files contained unemployment compensation claim information including the person’s name, social security number and/or driver’s license or state identification number, date of birth, bank account number and bank routing number, and place of employment.”

Some DOL telephone representatives are saying the license number can be changed and some are saying the license number cannot be changed.

One victim did get a new drivers license number without charge, but was then told to purchase a replacement to get the physical driver license card.

Customer Service Specialist Rachael Houskeeper reports that “We are currently assisting customers in changing their license numbers (including ones that start with WDL) due to the ESD breech and you do need to purchase that replacement.”

Spokesperson Christine Anthony says “We simply do not have the ability to waive required fees for replacement licenses” after a new number is issued for the license.

Apparently the inability refers to State law RCW 46.20.200 that sets the replacement rates.

The Department of Licensing has repeatedly informed this writer that replacement would be $20.

The $20 charge — in the opinion of this writer — violates RCW 46.20.200(2).

RCW 46.20.200(1) applies to “lost or destroyed” and “duplicate”. Lost
or destroyed is not the same as valid, but exposed through breach
while in State custody. A change in DL number means it cannot be a
duplicate, therefore (1) does not apply.

Paragraph (2) says “or correct material information”. Change of driver license number could be considered a correction of material information. In any case (1) does not apply and (2) sets a fee of $10, not $20.

The Governor should make a proclamation to waive the fee for victims. Or. the State Auditor should reimburse the cost of replacement. [The State Auditor was asked if reimbursement will be provided. No response as of February 12, 2021.] Or, the elected representatives to Olympia should pass a law to help the victims.

Aside from any inaction by elected leaders, why is DOL insisting the charge must be $20? More money! Further victimize the victim.

As of this writing [February 11, 2021], DOL has NOT put up a web page to clarify the process or the fees to get a new license number and replacement card for the victims of the data breach. The Washington State Auditor has only provided generic suggestions. This author agrees with the author of the editorial titled “Analysis: Washington state’s response to data breach affecting 1.4M people is stunningly callous“.

Putting up a web page would certainly reflect the seriousness of the breach, streamline the process, and getting everyone on the same page.

Senator Jim Honeyford said on February 12, 2021:

“1.  I proposed in Ways and Means that we should be helping the victims to at least be able to check for fraud.  I didn’t receive any support and am exploring to put that into a bill.
2.  I support issuing new DOL numbers.
3. I  would support a [DOL] web page with helpful information on how to deal with the impacts of this breach.”

For those who want to proceed, here’s the procedure one person used to obtain a new driver license number number WITHOUT COST. However, per comments above, DOL is charging for the actual license [as of February 11, 2021] that would show the new number.

Visit this page first:

https://www.dol.wa.gov/driverslicense/replacelostlicense.html

Make sure you do NOT have any restrictions.

Call the DOL customer service number: 360.902.3900, then this sequence to get to a person:

1 for english

2 to replace

1 replace

0 for customer service person

last four of SS# and data of birth

press 1

enter last 4

8 digit date of birth

12345678

stay on the line

Explain that you are victim of the breach of ESD data in the custody of the Washington State Auditor and that you want a new license or ID number.

Changing Bank Account

These instructions are for direct deposit, which is most common.

General tip on direct deposit. One claimant had the foresight to use a bank and bank account number that was used for nothing other than direct deposit of ESD payments. Once payment arrived, the claimant did a transfer to another bank. Because of this foresight, the damage from any breach was already limited because isolation from the other bank used for the day-to-day activities.

Work with your bank or credit union to create a new account so you have a new account number. Once you have the new account number, you need to update the ESD system.

Log into the ESD system and click on settings in the upper right.

Then look for and click on “Update payment information”

Click on Direct Deposit.

Click on Yes for “I am granting the Unemployment Insurance Agency permission to credit my account.”

Then enter your name (as it appears with the bank)

Choose bank account type

Add the routing number

Enter name of the bank (if not auto-populated)

Enter the account number

Enter the account number again in the confirmation field.

Below is the transcript of Suzi LeVine’s prepared statements that began her ESD news conference on 2020-06-18, 1:00pm Pacific. LeVine is Commissioner of the Washington State Employment Security Department (ESD).

Editorial Comments:

Unlike the previous two news conferences, LeVine did not put fraud at the front of the talk. No doubt most people watching or listening are more interested in knowing when they will get money from ESD.

ID verification has become so super important that LeVine now says at least 650 people (400 employees + 200 employee investigators + 50 guards people + leadership staff) are now working on ID verification. This suggests the established system in use before the pandemic was very weak in verifying identity.

LeVine has previously said there would be transparency. But, here are some items she didn’t mention:
— Is ESD using contract call-takers through a vendor?
— Are some of these call takers outside of Washington state?
— What is the roll of these call takers?
— According to one elected official, “ESD has brought in Deloitte to see if there’s a data breach.” No mention of that.
— LeVine still has not explained how ESD will identify the oldest applications. Database query reports? Manual scrolling through a million applications looking for dates?

Transcript of Suze LeVine prepared statement, 2020-05-18, 1:00PM Pacific

Good afternoon, everybody. Can you hear me Okay? Nick and team? Great. So before jumping into the updates for you, I want to pause and acknowledge that it was three months ago this week that we experienced a 10 X increase in demand for unemployment benefits in both our call and our claims volumes. As you well know, Washington has been at the forefront of many aspects of the COVID-19 crisis in this country. And the impacts to the unemployment system is no exception. We’re incredibly proud to have delivered more than 5.4 billion dollars in benefits to 856,000 people in these three months. That we are deeply aware there are many Washingtonians who are still awaiting relief. As it has been from the outset, our priorities throughout this crisis have been to get benefits as quickly as possible to those who are eligible and to increase the number of people who are eligible for benefits, even as we’ve needed to put a tremendous amount of time, energy and resources into stopping the fraud, helping the victims of that fraud and recovering the money from that fraud.

Our core mission has remained the same, get eligible, Washingtonians the benefits they need as quickly as we can. And we will continue to work truly around the clock to achieve this mission even as we keep the criminals out. We’ve made incredible progress in resolving issues, set unclaimed flag for identity verification as part of our efforts to combat fraud. And I’ll speak about that in a moment. And, we maintain a laser focus on getting folks who’ve been waiting the longest, the benefits they need. With that in mind, I was truly humbled this morning to greet about 50 national guard members as they started training to help with ID verification with more joining over the next two weeks, I shared with them the gravity of the work they’re doing, that they will be evaluating identifications to help legitimate claimants get the benefits they so desperately need. And, to stop the criminals from getting Washington taxpayer dollars. Keeping them focused on this work, allows them to be trained quickly and get to work practically right away.

We’re excited to have them as an extension of our team while they’re serving their mission with ESD. And we’re so grateful for their service to our state. They’ll join the more than 400 ESD staff, myself and my leadership team included, who shifted to work on ID verification and the 200 investigators also focused on this effort. Now, for a moment, I’m going to talk about Operation 100% and then I’m going to talk again about fraud. With Operation 100%, which we had rolled out the beginning of May, we had set the goal of resolving all unpaid claims by June 15th, for those who had applied between March 8th and May 1st. We attacked that goal, but unfortunately we didn’t make it. There was a variety of reasons. Most notably, as you know, the massive fraud attack perpetrated on our system by criminals. Now, while we face challenges in meeting this target, that, that doesn’t mean the needs of our customers are any less dire.

And we take this very seriously. We know they are increasingly desperate and we’re not going arrest until we get this solved for them. Now that we’re past that June 15th, mark, we’re resetting our targets. We’ll no longer be tracking just those in adjudication and who have applied by May 1st, but all those who have applied until today and haven’t received any payments. We’ll continue to work the oldest first. But this new target allows us to set expectations for everyone who hasn’t received payment rather than a smaller subset. And again, it’s also focusing on those who have had issues set on their claims. This doesn’t include those who have actions themselves, that they need to take. The current number of those who haven’t been paid and need ESD to act is 81,508 people. And we expect to have a new target date for that population by next week.

Again, this is more than those in adjudication and not the same pool of people we were tracking before. It includes anyone who hasn’t been paid, because issues set on their claim for a variety of reasons. To support this. we’ll also be doing another round of changes to our phone service, to focus on outbound calling, to get through these claims faster. As a reminder, the last time we limited inbound calling for a week and focused on outbound calling our staff were able to be 90% more productive in clearing issues and getting claims paid. And we expect similar, if not better results this time, we’re also doing a lot within our customer service team to improve their efficiencies and to increase the number of claims that each of those individuals in our incredible customer service staff can resolve. We’ll also be updating the Operation 100% page with the new target and information this week That’s operation 100%.

Let’s talk about fraud for a moment. Since the massive frat [sic] fraud attack started, we’ve been focused on three things, stopping the fraud, helping the victims and recovering the money. So let me start with stopping the fraud. Our modeling continues to indicate that our efforts at thwarting fraudulent claims from going out are successful. That said, and as I mentioned last week, we know that this is a never ending race and we must keep trying to run more quickly than the criminals, Now helping the victims. As I mentioned earlier, we moved over 400 ESD staff members, including me and most of my leadership team on to ID verification work. As I mentioned a moment ago, we also have national guard troops coming in to help this week. And over the next two weeks. With this boost, we expect to make significant progress. And in fact, we already have made significant progress specifically last week.

I said we had, at that time, 42,000 people who had been receiving benefits, but were paused around May 15th. I’m proud to say that we are on track to meet our target of resolving all of those claims by tomorrow. So payments can restart for those legitimate claimants among them. With the added staff capacity and help from the national guard. We expect additional resolutions to continue at pace for those whose payments were paused after the weekend of May 15th, as well as those who had not been receiving payments prior to that time where identity was another element of their claim. So, that’s stopping the fraud and helping the victim. Now let me talk about recovering the money. Our efforts to recover every dollar we can continues. And we’ve now received back 350 million. That’s up 13 million from last week alone. We are actively reaching out to the banks where we know thus far there have been fraudulent funds sent and we continue working with federal law enforcement and the banking industry in our efforts.

So again, stop the fraud, help the victims, recover the money. Now, I’m going to focus on something that may feel a little left field, but it’s still really critical as we think about how are we helping our communities in Washington state. I want to talk for a moment about paid family and medical leave. It feels like a lifetime, but it was only five and a half months ago that the paid family and medical leave program launched. And if you’ll remember, it was only 30 months from bill to benefits going live. At ESD, getting benefits out to those who are eligible includes, making sure we get benefits out quickly to those eligible for paid family and medical leave too. Despite the COVID-19 headwinds, including moving near, moving nearly all our staff to telework, only two months after launch, we have kept paid family and medical leave on track, reducing our customer response time from a peak of 11 weeks down to three weeks right now all while delivering $197 million, almost $200 million out to 54,000 people. Of note is that we’re on track for our goal of two weeks by the last week of June or the first week of July, which was the goal that we had said before the pandemic struck.

So as I’ve said before, there is no playbook for a pandemic, especially one for which the impact has been so enormous and so swift, but our agency will leave no stone unturned or resource untapped to get eligible, Washingtonians their benefits. We are so grateful for the support of elected leaders, the national guard and Washingtonians who have reached out with feedback for us. We will continue to listen, find creative solutions. And the only way we’re going to get through this is together. With that. I’m happy to take your questions.

Frustrations with financial institutions never seem to end. Some of this frustration is from sloppy product development. Take the image above from Sound Credit Union in the Seattle and Tacoma area. Note that there are two different requirements for the PIN. The first set in black is for first-time or recurring users — what people normally see. The set in red is an error message when the wrong requirements are put in. The second set does not even make sense by itself. A digit is a number (in computer land). So does the second set mean there should be four or five characters? (Five characters: four digits + one letter.)

This kind of inconsistency — nearly contradictory — drives consumers crazy with frustration. Sloppy product development creates costs for any organization through frustrated consumers who either take business elsewhere or call for support. Call center staff should not be burdened down with what is simply poor editorial control within product development.