The Unemployment Insurance Fund (UIF) has made changes to the website for its Temporary Employer-Employee Relief Scheme (TERS) after a security researcher reported a data leak.
This leak allowed anyone to obtain the UIF reference numbers of employers who had been paid out, and look up how much they had been paid.
UIF reference numbers were published as part of a list of paid employers on a website hosted under the Department of Employment and Labour’s domain.
This list of paid employers can still be downloaded in CSV format from the UIF website, but it no longer includes UIF reference numbers.
After MyBroadband and the security researcher reported the issue, the UIF reference numbers were removed from the downloadable list.
Armed with a list of UIF reference numbers, an attacker could go to the “My Payment Status” page and query the reference number.
While this page now features a Captcha, it did not have one a few weeks ago. The Captcha was only added after we raised the matter with the UIF.
Before the Captcha was implemented, it would have been simple for an attacker to write a script to extract the amounts paid and processing dates for each of the UIF reference numbers that were readily downloadable from the same website.
It is also still possible to look up the payment status and amount paid for anyone so long as you have their UIF reference number, or ID number.
The UIF does not require that you register an account or log in to look up this information.
Screenshots of the information returned by the My Payment Status page are included below.
MyBroadband contacted the Ministry of Labour for comment and was directed to speak directly to representatives of the UIF.
The UIF did not respond to a request for comment.