In a significant security breach, over 19,000 online accounts on BenefitsCal, a California state platform that facilitates the management of welfare programs, were compromised. The incident, which occurred on February 9, 2024, was due to threat actors exploiting reused passwords that users had also employed on third-party sites. BenefitsCal is a critical service providing Californians access to various welfare benefits including food stamps, cash assistance, and medical benefits, making this breach particularly concerning due to the sensitive nature of the information handled.
The unauthorized access was first suspected when abnormal activities were noticed in some users’ accounts. The California Statewide Automated Welfare System, which oversees the BenefitsCal platform, discovered that the intrusions had been taking place since as early as March 1, 2023. This prolonged period of vulnerability led to unauthorized access to a vast amount of personal data, including names, addresses, Social Security numbers, email addresses, phone numbers, EBT card numbers, case numbers, Medi-Cal ID numbers, and details concerning program eligibility and benefits.
In response to the breach, BenefitsCal officials took immediate action by temporarily inactivating the impacted accounts to prevent further unauthorized access. They reviewed account activities during the period of exposure and notified affected users of the breach. To secure accounts before reinstating them, BenefitsCal implemented additional security measures, such as requiring not just a password but also a verification step through users’ emails or phone numbers at login. Moreover, for those with EBT cards, reissuance was carried out to prevent fraudulent activities.
To strengthen overall security post-breach, BenefitsCal introduced several changes including the implementation of two-factor authentication (2FA) for added security during the account access process. These efforts aim to restore trust and provide enhanced protection against potential future attacks. Users have been advised to create strong, unique passwords for their accounts and avoid using the same credentials across multiple sites to decrease the risk of similar breaches in the future. The extent of the offer for free identity protection services to affected individuals by the agency remains unclear.