Illinois unemployment fraud: Fixes suggested to prevent similar attacks – Chicago Tribune


After Illinois endured a massive wave of unemployment fraud during the pandemic, a cybersecurity vendor warned state lawmakers Thursday that fraud fueled by identity theft will become an even bigger problem unless the state hardens its defenses.

“They’re not going to stop at unemployment insurance. They made a fortune,” said Haywood Talcove, a top executive with LexisNexis Risk Solutions, a firm that public and private entities pay to fight fraud.

Talcove testified to the Illinois House Committee on Cybersecurity, whose chairman, Rep. Lamont Robinson, D-Chicago, called for Illinois to become a national model within five years in stopping thieves from stealing identities and money from government websites.

“The goal is doable,” Robinson told his peers. “Today is our first step.”

State Rep. Lamont Robinson speaks during a news conference outside of Mercy Hospital and Medical Center in Chicago on Oct. 23, 2020.

State Rep. Lamont Robinson speaks during a news conference outside of Mercy Hospital and Medical Center in Chicago on Oct. 23, 2020. (Youngrae Kim / Chicago Tribune)

The fake claims may have diverted more than a billion dollars intended for Illinois workers who were laid off during the pandemic. Meanwhile, other vulnerabilities have allowed hackers to compromise computer systems in the attorney general’s office and Russians to capture personal voter information at the Illinois State Board of Elections.

For years, experts including Talcove have warned states that massive amounts of stolen personal information, obtained in recent years through various computer hacks, could allow thieves to trick unemployment agencies into sending benefits to the wrong people. Incidents of this so-called impostor fraud exploded during the pandemic.

Talcove said a vendor could stop the flood of bad claims for about $1 million a year, using the kinds of systems the private sector has employed for years. He recommended the state seek competitive bids among qualified firms, including his own.

IDES has said it’s working toward better security but worries tighter defenses may block out people who legitimately qualify for cash.

Talcove said security can be tightened without hurting legitimate claimants.

“With the technology that exists, you can have it. You can get a package delivered by Amazon in a trustworthy manner. You can make a transaction on a bank account and be safe,” he told lawmakers. “You can have the same thing with government programs.”

Illinois has yet to release figures on how much money was stolen, but Talcove said he suspects it’s at least $1 billion.

Talcove warned that instructions on how to steal from states are available for sale on unindexed, encrypted parts of the internet called the “dark web,” including a kit about stealing from IDES that costs $15.

Robinson called Talcove’s comments “alarming,” saying they underscored the need for the state to consider getting help from the private sector.

Jennifer Ricker, acting secretary of the Illinois Department of Innovation and Technology, said after the hearing that she could not speak directly to Talcove’s suggested $1 million fix but noted the state has already implemented tools to bolster cybersecurity and is working on adding more.

She noted it’s a constant battle to boost security as criminals hone their strategies. “The bad guys’ tactics and techniques change all the time, and so we do as well,” she said.

Robinson said IDES initially was invited to the hearing but lawmakers ultimately decided to hold a separate hearing on the agency’s woes.

Adam Ford, the Illinois Department of Innovation and Technology’s chief information security officer, said at the hearing that the state sees billions of attempted attacks monthly on its operations, many involving phishing emails designed to trick state employees into providing login information.

He said hackers are “constantly assaulting all state systems looking for weaknesses.” If data is stolen and encrypted, thieves can then demand agencies pay a ransom to have the data released.

“Ransomware I think stands out most in our minds as the most dangerous attack and can render agencies unable to perform their duties,” he said.