Social Security numbers and other personal information of up to 1.87 million Michigan workers may have been compromised, the state said Friday.
The problem stemmed from a software update to Michigan's troubled unemployment computer system, state officials said. For roughly 3½ months, it gave third-party payroll vendors and employers unauthorized access to names, wage information and Social Security numbers for a big chunk of the workforce in the state.
"There is no evidence at this time of any wrongdoing by anyone who had the ability to see the personal information, though the investigation continues to ensure the peace of mind for residents potentially affected," said Dave Murray, spokesman for the Unemployment Insurance Agency.
The number of people affected will not be known until the probe is finished. Those at risk include employees whose payroll is processed by one of the 31 third-party vendors that work with the agency—43 percent of Michigan's nearly 4.4 million payroll workers.
The software update was done Oct. 10. State officials said a "vulnerability" was identified Monday by one of the payroll companies; the state blocked unauthorized access that day.
"We are working diligently, 24 hours a day, right now to continue this investigation to determine just exactly who did access this information, who had access to it," said Caleb Buhs, spokesman for the Department of Technology, Management and Budget. He said only authorized users can get into the Michigan Data Automated System—payroll experts who are "used to handling this type of sensitive information."
Officials said if a breach is confirmed, those affected will be notified immediately. They urged people whose employers have payroll vendors to be on the lookout for identity theft by monitoring their personal financial statements for suspicious activity and requesting a free credit report.
The computer program, MiDAS, was created by Fast Enterprises of Centennial, Colorado, and brought online in 2012 as part of a modernization of the state's unemployment benefits and tax system. The software's "robo-adjudication" feature is under scrutiny after it contributed to at least 20,000 people being wrongly flagged for unemployment fraud, in part because of a lack of involvement by state staff in such determinations.
As part of a lawsuit settled Thursday, the Unemployment Insurance Agency agreed to make policy changes. Another suit, which seeks damages for people who were assessed high penalties and suffered other repercussions, is pending in the Michigan Court of Appeals.
Explore further: Quest Diagnostics says 34,000 customer accounts hacked