Call Kurtis Investigates: Security Flaw at CalJOBS Website Exposes Personal Info of up to 1.4M Californians
SACRAMENTO (CBS13) — A CBS13 investigation uncovered it took less than three minutes to pose as an employer and access the password protected CalJOBS website, operated by the Employment Development Department. The state requires the unemployed to register on the website before collecting unemployment benefits.
Lodi Viewer Victimized
Tina from Lodi says she posted her resume to the site and received a job offer in her CalJOBS email inbox. It read, “after reviewing your job on CalJOBS, we believe you are qualified for the position.” She says she’s heard of job email scams before, but trusted this entry level data entry job where she could work from home, because it came through the CalJOBS website. Hired after an online interview through Yahoo Messenger, Tina says she worked from her home computer for a week before getting her first paycheck for $1,900. It came with extra money to buy a special computer they required she buy from their vendor.
It wasn’t until after she wired off $1,600, she learned there would be no computer. The paycheck she cashed was fake. She had been scammed out of that $1,600.
“A person can live and spend a month with this check,” she said. “Right now, I’m so hopeless.”
EDD Spokesperson Loree Levy says when employers register to get into the CalJOBS site, they must provide information including an unemployment insurance tax identification number as part of the process.
“Doesn’t something like this expose a vulnerability in your system,” Ming asked Levy.
“No. Unfortunately that’s why scammers are there. They scam any particular system,” she responded.
Ming: “A scammer infiltrated your system using someone else’s number.”
Levy: “I don’t know how they were able to portray an employer with an identification number.
Levy told CBS13 she didn’t think it was “easy at all” to break into the CalJOBS website.
As part of our investigation, we went onto the CalJOBS webpage and made up the company, “Look How Easy It Is”. It requires information including the tax ID number as Levy mentioned. CBS13 has decided not to report exactly what we entered into the website, but in two minutes and fifty-seven seconds, we successfully registered and had access to page after page of personal information including names, addresses, phone numbers, job histories and salary information.
“Unbelievable,” said State Senator Jerry Hill after we showed him our findings.
In fact, the Democrat from San Mateo didn’t believe us until he entered his own fake company name “We Will Defraud You”, which was accepted giving him access to information scammers could use to steal the identities and gain the trust of up to 1.4 million vulnerable job seekers registered on the site.
“Dog gone it. This system should be secure. This system is the personal information of people who are trying to honestly and legitimately look for work in California,” Hill said. “It is at the height of incompetence.”
Hill is calling for an investigation and for EDD to verify all company information before giving any possible employer access to the website.
Our accounts and that of Senator Hill were shut down within 24 hours of us accessing the site. In a statement, EDD claims, “our fraud detection process is working. We have a continual vetting process for potential employers, and we take down their profile as soon as we determine they aren’t legitimate….The EDD is always working with the vendor to develop more sophisticated monitoring and detection tools.”
Their security efforts didn’t stop the scammers before they could target Tina who is left trying to figure out how to pay back the $1,600 she doesn’t have.
“I trusted CalJOBS. I have no job, no money.”
EDD Advice To Avoid Job Scams
- You should never send money to an employer requesting money.
- There are no legitimate reasons that an employer would request money;
- Be cautious of any employer who charges a fee to either employ or find placement for you;
- Do not respond to any employer requesting that you transfer funds or receive packages for reshipment, especially if they are located overseas. Most of these employment offers are check-cashing or shipping scams;
- Do not provide your social security number or any other sensitive information to an employer unless you are confident that the employer is legitimate;
- Research the company to ensure it is authentic; contact the Better Business Bureau to determine the legitimacy of the company.
- Job seekers may mark their resume “non-searchable” thereby blocking employers from searching and viewing their information, while still allowing them to search for jobs themselves.”