Call Kurtis Investigates: State Adds Security to CalJOBS Website After CBS13 Exposes Vulnerability
SACRAMENTO (CBS13) — A day after we uncovered a security flaw in the CalJOBS website that exposed the personal information of up to 1.4 million Californians, CBS13 has learned the website has added a new layer of security to its database containing names, addresses, phone numbers, job histories, email accounts and salary information. This as more users realize their information has been compromised.
Iraq war veteran Gary Kimzey says within a week of posting his resume to the site, he was hit with three scam job opportunities through email and texts. In each case, the scammer claimed to get his information through the CalJOBS website. He said he only posted his resume on the password protected website, because it's a requirement to collect unemployment benefits.
"If I'm not willing to be on the site, then it jeopardizes my chance of collecting unemployment benefits," Kimzey said.
He didn't fall for the scam after seeing the story of Tina of Lodi. She says she was hired for an entry level data entry job where she could work from home. She says she worked for a week and received her first paycheck which came with extra money to buy a computer they required for the job. After she wired off $1,600 to their computer vendor, she learned there would be no computer. That paycheck she cashed was fake and she was scammed out of $1,600.
"Right now I'm so hopeless," she said.
The California Employment Development Department runs the CalJOBS website. Spokesperson Loree Levy insists it's not easy to break into the database posing as an employer. We managed to access the database in less than three minutes creating the fake company name "Look How Easy It Is", giving us access.
State Senator Jerry Hill has called for an immediate change requiring verification of employers, after he also created a fake account using the company name, "we will defraud you".
"It is at the height of incompetence," Hill said.
We asked U.C. Berkeley computer science professor Doug Tygar to analyze the security gap. He's concerned once a scammer is in, they can also post bogus job opportunities.
"I don't even have to reach out to you to create the scam. I can wait for you to come to me, and then scam you," Tygar said.
It now appears EDD has quietly made a change to the CalJOBS site. Instead of easily accessing resumes, a warning now pops up after creating an employer account reading, "Your employer account is not enabled at this time. If you have recently registered, your account will be verified within 72 hours."
In a statement, EDD confirmed the change saying, "the Department did implement a 72-hour hold on new employer registrations to allow the Department more time to authenticate the postings. This is one method in our toolbox that we can use when we see an uptick in suspicious activities."
EDD did eventually shut down our accounts with obvious fake names. Senator Hill sent EDD's Chief Deputy Director Sharon Hilliard a letter saying another account created in his office using a legitimate sounding business name is still active.
EDD has said its fraud detection process is working claiming it's shut down seventy fraudulent accounts since the fall. It also insists no confidential information was compromised saying the information we accessed is the same information jobseekers often post on other sites.
Senate President Pro Tem Darrell Steinberg Statement
"It's imperative that people's personal information remains private and protected, and Californians certainly need to be able to trust in the security of a government website. The apparent ease of fraudulently accessing job-seekers' information on the CalJOBS website is a serious problem that EDD needs to address, and Senate President Pro Tem Steinberg supports Senator Hill's call for an investigation."
EDD's Written Response to Our Investigation
- As we have repeatedly stated in both our interview with you and the information we have sent you in numerous messages, no confidential information was compromised as a result of the current CalJOBS employer registration process.
- Last Friday, the Department did implement a 72-hour hold on new employer registrations to allow the Department more time to authenticate the postings. This is one method in our toolbox that we can use when we see an uptick in suspicious activities.
- We have a continual vetting process for potential employers and we continuously monitor the CalJOBS system to detect, deter, and block improper access and use of the system. We use tools provided by our vendor Geographical Solutions, we can implement holds, and we dedicate staff who review all new employer registrations throughout the day.
- We continue to warn job seekers to be careful when responding to any email, as well as our reminding them that there is no legitimate reason an employer would ask for money or checks.
- If a jobseeker includes their cell phone number and/or private email address (and indicates that they wish to be contacted via these forms of communication), employers are able to send text or use private email addresses.
- Jobseekers can also select to only use the internal communication tool available within the CalJOBS system, instead of providing an e-mail address or phone number.
- We do continually post and warn job seekers about scams that show up throughout the internet. We've put a notice on the CalJOBS home page in RED text advising job seekers of scams in the system and advised them that legitimate employers will not request money from them.
- Again, this is a typical phishing scam that we warn people against - both on any specific scam we identify and in general: "don't respond to emails that ask for money or checks."
- As noted before, since Jan. 1, 2013 (last year), we have had fewer than 10 people alert us to possible scams, which we responded to immediately.