Icon (Close Menu)

Logout

Hutchinson, a Flawed Site and Defining Exploitation

4 min read

Gov. Asa Hutchinson is taking lumps in the technology press, and no wonder.

He puzzled techies and Luddites alike by making a federal case out of what seemed to be a good Samaritan’s report that the Arkansas Pandemic Unemployment Assistance website was inadvertently revealing applicants’ Social Security and banking numbers.

And Hutchinson’s insistent suggestion that the tipster did something wrong by making the website flaw public — after trying to notify the state — has confounded even a few of the governor’s regular supporters.

Techdirt.com accused Hutchinson of shooting the messenger after the PUA website, administered by the Arkansas Division of Workforce Services, was shut down after reporting from the Arkansas Times. A computer programmer and applicant who discovered the flaw notified the Times only after trying to report it to DWS and the Arkansas State Police, the Times said.

The website, which was shut down May 15, went back up online with the flaw corrected on May 20. But the governor’s theory that the programmer had “exploited” the system left him looking foolish to cybersecurity professionals.

The governor “is trying to villainize the person who stumbled upon the unexpected data flow,” Techdirt’s Tim Cushing wrote Tuesday after interviewing Arkansas Times Editor Lindsey Millar, who wrote about the case.

The Arkansas Democrat-Gazette bought the governor’s argument on May 16, the day after the Times’ scoop, reporting uncritically that a “hacker” had compromised the site, and it never even mentioned the Times’ story. Other outlets were credulous, too, even though Hutchinson himself said that whoever “exploited” the site probably did not intend to commit a crime.

The day after the Arkansas Times’ report, the governor announced that the Federal Bureau of Investigation was investigating, and he defended his characterization of the programmer as an exploiter. In an email to Arkansas Business on May 19, he said: “Regardless of how you describe the breach, the FBI has opened an investigation as a result of the action of one or more individuals who exploited the system and personal information of citizens. I can’t speak to motives and I have limited my comments to information that does not impede the ongoing investigation.”

Asked Tuesday for an update on that probe, Hutchinson issued this statement: “I have received no update from the FBI and I have no additional facts to share.”

The programmer, according to the Times, found a vulnerability that exposed sensitive information of about 30,000 applicants. When the website reopened, applicants had to revise their passwords to access their accounts.

Hutchinson has reliably used “exploited” and “exploitation” in describing the incident, though he has also called it a “breach.” That language, several lawyers said, may reflect insurance and liability considerations. Hutchinson said at a news conference that “exploited” refers to actions including someone viewing sensitive information. He also said the state has notified its insurance carrier about the “breach.”

Asked if citizens should notify authorities when they see a security issue on a state website, the governor replied, “The question is, did you see the vulnerability or did you find the vulnerability?”

Under that thinking, if you discover security issues on state websites you should keep it to yourself, unless you relish becoming a subject in an FBI inquiry.

The website was designed and built by Protech Solutions Inc. of Little Rock, which has done business with Arkansas, New Hampshire, Maine, Michigan, New Jersey and Delaware.

The contract for the pandemic unemployment website is worth $3 million, and would allow $2 million more for certain contingencies. Protech has a long-term contract to run the state’s child support information system, handling payments. That contract, signed in 2016 and running through next year, is worth $42 million.

Max Brantley, the longtime political reporter, columnist and senior editor of the Arkansas Times, guesses that the governor meant to divert attention “from his administration’s failing on this by making the hacker the villain of the piece.”

Holly Dickson, interim director of the ACLU of Arkansas, defended the tipster: “There is nothing unlawful or inappropriate about trying to blow the whistle on the state’s failure to protect personal data.” Her statement added that state officials were “trying to deflect the blame for mishandling people’s personal information by smearing a good Samaritan who identified these vulnerabilities and alerted the proper authorities.”

Send this to a friend