Ohio unemployment says it fixed 'security flaw' that locked down 28K accounts

Jessie Balmert, Cincinnati Enquirer
Updated ·2 min read
Ohio officials emailed unemployment claimants Monday with information about how to unlock their accounts.
Ohio officials emailed unemployment claimants Monday with information about how to unlock their accounts.

Ohio's unemployment system locked down more than 28,000 accounts and paid about $189,000 in bogus unemployment claims because of a recent security flaw.

Ohio Department of Job and Family Services attributed the problem to a "code flaw" that linked the unemployment system and OH ID, which allows Ohioans to create one account for multiple state websites.

“Our teams are working to ensure bad actors don’t have any opportunity to take benefits out of the hands of eligible Ohioans,” Director Matt Damschroder said in a news release. The department estimated $189,184.62 was paid out in bogus claims.

Starting in late June, Ohio unemployment officials started hearing from a large number of people who received alerts via email or text message about claims they had not filed. In response, Ohio officials locked down more than 28,000 accounts with suspicious activity and started searching for the problem.

Ohio fixed the code vulnerability on July 18, Damschroder said in an interview. This attack targeted Ohio's system because of this unique problem. Unemployment officials have been in contact with law enforcement.

Ohio Department of Job and Family Services officials locked down the accounts to prevent more fraud. But that led people who were legitimately unemployed to lose access to their benefits. Many called the hotline, where they spent hours on hold.

Ohio had no way for individuals to unlock their own accounts, forcing them to wait on the phone for hours. Another problem: if the wait time exceeded the hours the call center employee was working that day, the system wouldn't let the caller get in line to wait.

Over the weekend, the Ohio Department of Job and Family Services launched a new way to unlock the accounts. This process involves setting up two-factor authentication and answering some questions about financial or residential history. The latter is to ensure hackers aren't the ones unlocking the accounts for their own benefit.

Damschroder said it's too soon to tell, but he hopes this option will unlock accounts quicker and cut down on calls to the helpline.

The security problem is evidence that Ohio's unemployment system is still susceptible to fraudsters. But state officials say the problems are less frequent because of improvements to their fraud detection technology − tips they took from the private sector.

How to unlock your unemployment account

Ohio Department of Job and Family Services recommends those with locked accounts take these steps:

  • Go to unemployment.ohio.gov and click the login button.

  • Create or authenticate an Ohio ID.

  • You might need to set up two-step verification or answer security questions to verify your identity.

  • If you can't access your account, call Ohio Department of Job and Family Services at 1-877-644-6562.

  • If you were a victim of fraud, you can report it at unemployment.ohio.gov by clicking “Report Identity Theft/Fraud."

Jessie Balmert is a reporter for the USA TODAY Network Ohio Bureau, which serves the Columbus Dispatch, Cincinnati Enquirer, Akron Beacon Journal and 18 other affiliated news organizations across Ohio.

This article originally appeared on Cincinnati Enquirer: More than 28K Ohio unemployment accounts locked due to 'security flaw'