This year’s online application for Permanent Fund dividends remained offline Wednesday for the second day in a row amid a potential security breach that some applicants have said allowed them to access other people’s personal information.
The Alaska Department of Revenue, which oversees the Permanent Fund Dividend Division, confirmed in a statement Tuesday that it had received complaints from users who had inadvertently seen private information belonging to other applicants who had already filed for the dividend. The department said Thursday that the exposed data is most likely due to a “glitch.”
As of Wednesday afternoon, the department had confirmed only one case of user information being shared, although dozens of people have complained on social media. Many have said that when they tried to apply, the form auto-populated with someone else’s personal data, which included birth dates, contact information, bank account information and Social Security numbers. The application was taken offline Tuesday morning, shortly after it opened at 9 a.m.
“We will be doing a very deep dive into why this occurred,” said Department of Revenue Commissioner Bruce Tangeman.
The application is expected to be back online within the next few days, Tangeman said. In the meantime, the Department of Administration, which manages the state’s information systems, is working to address the issue and investigate what went wrong, he said. Officials with the Department of Administration did not respond to multiple calls on Wednesday.
Anne Weske, director of the Permanent Fund Dividend Division, said the state will email those who were logged into the application during that window to notify them their data may have been compromised. At this time, the state hasn’t made any plans to offer fraud or credit monitoring to those who may have been affected, she said.
Weske said the application was online for about 30 minutes before it was taken down, though many applicants said they were unable to access the application when it opened at 9 a.m. — instead seeing an error message saying the application website was down for “unexpected maintenance.”
The state has not confirmed how many people’s information may have been compromised, but about 100 people had filed when the application was taken offline, according to the division’s real-time application counter.
Royce Williams, a cybersecurity advocate based in Anchorage, said online forms can be complex, and there are multiple places on both the front end and back end where the application could have gone awry. This year’s form includes a new feature that is supposed to allow applicants to pull information from previous applications, and Williams said it’s possible that’s where the breakdown may have occurred.
“The work to do that could have unexpected side effects,” he said.
Based on how specific the breach was, Williams said he believes it’s unlikely that the system was hacked. In the meantime, though, he recommends that those who may have been affected consider having their credit frozen to prevent identity thieves from opening new accounts in their names.
PFD applicants can use myAlaska, an authentication system that allows users to access multiple state services, to submit their signatures electronically. The system manages applications for state student aid, public medical assistance and background checks, among many others. The myAlaska website says user information is stored in a secure directory that “has been tested by qualified security consultants and is monitored 24-hours a day.”
The website goes on to say, “No myAlaska participant will have any access to another person’s records. The authentication system will maintain audit logs adequate to verify that administrators and privileged applications are not using the system inappropriately."
Weske said there have been no reports of other systems that use myAlaska having similar issues.
Tangeman said applicants can still pick up a paper application at the Permanent Fund Dividend Division’s office on F Street in downtown Anchorage. Paper applications can be either mailed or dropped off in person at the PFD Division office, he said.