FRANKFORT, KY — Kentucky is shutting down its unemployment insurance website for four days because of cyberattacks and fraud attempts.
Gov. Andy Beshear's general counsel, Amy Cubbage, who has been overseeing the Kentucky Office of Unemployment Insurance, said Thursday that the customer side of the UI system will shut down to make sure no one can gain access to customer accounts, in light of recent unauthorized activity.
Cubbage said UI's public-facing systems will be offline starting at 12 a.m. Friday through the end of the day Monday. The system will reopen Tuesday morning.
She said unemployment claimants will be unable to file new claims during that period, but claims will be backdated for those individuals. "No one will lose out on their chance to request those weeks of benefits," she said.
Cubbage said the UI office's internal systems will remain operational, and staff will continue working on people's claims.
After the shutdown, all reinsurance claimants will have to re-register their online accounts, including people who signed up recently. Cubbage said everyone will have to re-register as though it is their first time using the UI system.
"Massive" fraud attempts from "cybercriminals"
Beshear and Cubbage each said "massive" fraud and hacking attempts are the reason for the system shutdown.
"UI systems across the United States have become targets of massive fraud. And it's fraud that's not the kind that UI systems have traditionally been able to detect and deal with," Cubbage said. "Most of the fraud in the past has been one-off kind of fraud, where someone files and they lie about why they were discharged, that kind of fraud."
The fraud Kentucky and other states are seeing now is of a much larger scale, Cubbage said.
"This is organized fraud, often cybercriminals who are located oversees, and it includes the filing of fraudulent claims, as well as now moving into attempts to break into existing accounts and steal the benefits that are being awarded to proper claimants," Cubbage said.
In Kentucky, Cubbage said criminals have been using automated computerized processes to try to guess claimants four-digit PINs and access their UI accounts. She said the UI office does encrypt those PINs, but thousands of claimants have been using easily guessed PINs, such as "1234" or "2020."
"When you've got a PIN like that, it's easy for a computer criminal to simply set up a program that allows you to try that PIN across all of the...accounts, so that's what we've been seeing," Cubbage said.
New PINs for claimants, additional security steps
Cubbage said letters with new eight-digit PINs will go out to claimants starting Friday.
When the online claims portal, at uiclaimsportal.ky.gov of through the Kentucky Career Center website, reopens Tuesday, claimants will not only have to re-register, but they will also have to go through more steps to log into the website.
Cubbage said users will have to create a new, 12-character password that will require a mix of letters, numbers and special characters. They will have to verify their email address and receive an access code through their email account.
Claimants will have to use the new eight-digit PINs they receive in the letter they receive from the state. They will have to review all the information on their account to make sure it is correct. If their account information is not correct, or if the last four digits of their bank account or routing number are not in their UI account, they can receive their benefits in the form of paper checks.
Cubbage said only new claimants can enter account information for the time being.
In addition to using the new PIN online, claimants will have to use the new eight-digit PINs when using the telephone claiming system.