The Maine Department of Labor’s antiquated computer system had an indirect role in exposing thousands of Mainers’ Social Security numbers to a computer hack.

While the department’s computer system was not breached, its age and lack of compatibility with modern systems made it incapable of performing certain federally mandated steps in the processing of new unemployment benefit claims, prompting the department to outsource the work to a firm that was hacked.

“It’s 40 years old and written in COBOL,” department spokeswoman Julie Rabinowitz said, referring to the programming language developed in the late 1950s that is used by the agency’s computers.

The department contracted in July to have the work done by Kansas-based information technology consortium America’s JobLink. The consortium announced Wednesday that it had been hacked, and that up to 4.8 million user accounts were compromised.

America’s JobLink, which provides a variety of information technology services to state labor departments and employment offices, said the hackers stole the names, dates of birth and Social Security numbers of a still-unknown number of job-seekers in up to 10 states. The states include Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Oklahoma, Vermont and Maine.

Maine eliminated its Maine Job Bank service within the Department of Labor in July and outsourced the job-matching service to America’s JobLink, along with vetting and reporting of new unemployment benefits applications required by the recently amended federal Workforce Innovation and Opportunity Act. One of the requirements is to cross-check applicants against other databases containing information such as criminal history and immigration status, which requires the applicant’s Social Security number. The department’s outdated computer system isn’t capable of performing that required step.

Roughly 12,650 Maine residents have created JobLink accounts since July. Because cross-checking requires a Social Security number, those making initial claims for unemployment benefits were required to provide it to JobLink.

Because of the hacking incident, those account holders are now vulnerable to identity theft.

“Our own employees are affected by this, and we are very concerned about it,” Rabinowitz said.

Following the data breach, Mainers seeking unemployment benefits no longer will be required by the state to enter their Social Security number to receive unemployment benefits, she said, and those who already have done so can log in to their account and delete it.

Rabinowitz said emails would be sent no later than Friday to JobLink participants who were potentially impacted by the hacking incident. The email will advise recipients about the situation, explain how to put a freeze on their credit reports or take other credit report protection steps, and provide a telephone number for a national call center.

All available resources at the Department of Labor are focused on addressing the data incident, she said, adding that the department is working with the other nine states and the FBI.

“We collect a lot of personally identifying information in most of our programs,” Rabinowitz said. “The unemployment system is full of personally identifiable information and confidential tax information, and also the information that we have on clients in our programs and also in vocational rehabilitation has a lot of confidentiality around it, so we take this very seriously and we are very concerned to make sure we do the right thing for the people who are affected by this.”

Rabinowitz said America’s JobLink notified the state about the suspected hack late on March 15 or early on March 16, but there was no confirmation at that time that any Maine residents were affected. It wasn’t until late Tuesday night that the Department of Labor received confirmation that Maine participants might have been affected.

She said the state has temporarily deactivated the crosslink between Maine’s unemployment system databases and the Maine JobLink website that used Social Security numbers to link records in the two systems. Rabinowitz said the department’s internal unemployment systems were not compromised by the hacker.

“There will be no effect on unemployment benefits because of this,” she said.

The Department of Labor is working on a system upgrade that will solve the problem for the long term, but it isn’t expected to go live until October. In the meantime, the department hopes to come up with a way to meet the federal vetting and reporting requirements without requiring new applicants to enter their Social Security numbers into JobLink.

“All the options are on the table,” Rabinowitz said.

Rabinowitz said the 10 states are still negotiating with JobLink about what obligations the consortium has to the hack’s potential victims. One of the issues being discussed is whether affected JobLink users could be provided with the type of free credit monitoring offered by retailers following a data breach, she said. Under state law, Maine residents can receive annual credit reports and temporarily freeze their credit report at no cost.

In the meantime, job-seekers can continue to use JobLink to help them find jobs.

“The Maine JobLink is still active,” Rabinowitz said. “The security breach has been repaired and individuals can go in and remove their Social Security number from their account.”

J. Craig Anderson can be contacted at 791-6390 or at:

[email protected]

Twitter: jcraiganderson