The Covid-19 caseload in Arkansas was more than 4,800 on Monday and the number of deaths related to virus had reached 100, as Gov. Asa Hutchinson announced further easing of business restrictions.

Bars located in restaurants will be allowed to reopen on Tuesday. Free-standing bars, not associated with restaurants, will be allowed to reopen on May 26, according to Hutchinson.

Indoor venues, such as like museums, movie theaters, funeral homes and the state’s three casinos were allowed to resume operations Monday.

PUA Data Breach

At his daily briefing on Monday, Hutchinson responded to a number of questions about an alleged security breach of the state’s online Pandemic Unemployment Assistance system. Pandemic Unemployment Assistance payments are available to self-employed people who are out of work because of the coronavirus outbreak. Approximately 30,000 applicants had submitted their information to the site, according to Hutchinson.

Last week, The Arkansas Times reported that a computer programmer who applied for benefits discovered a security flaw within the website. The flaw left applicants’ personal information, such as bank account information and Social Security numbers exposed. The programmer tried to contact the state Division of Workforce Services then alerted the Arkansas State Police.

At his daily briefing on Saturday, Hutchinson said the system was shut down after it seemed that an applicant had “illegally accessed the system.”

Questioned Monday about his report that someone had “illegally accessed the site,” and its conflict with the Arkansas Times‘ report that the applicant had tried to report the vulnerability to the state Division of Workforce Services then alerted the Arkansas State Police, Hutchinson said his report and the Arkansas Times report do not necessarily “conflict with each other.”

“My information is that the data was exploited,” he said. “And so that raises serious concerns. That is the reason the site had to be shut down.”

Hutchinson said he doesn’t know that the information on the site was manipulated in any way, which would be illegal, but it appeared that others’ data was seen.

“That is a concern to us and that’s what constituted a breach,” Hutchinson said.

At Monday’s briefing Arkansas Times editor Lindsey Millar asked Hutchinson what law he believes the applicant broke and why he sees the applicant’s actions in a negative light rathern than someone trying to help the state protect sensitive information.

Hutchinson’s reply:

“It is our requirement whenever we have a breach of a system or a data breach that we notify the insurance carrier, we want to make sure the proper steps are taken, to protect personal identifiable information. We took those steps. One of those steps is we do report it to law enforcement so they are aware of the breach so that they can put it in context of any other cyber attacks that might be taking place, that this would add another piece to the puzzle. In this instance, they recognized this as something that should be investigated further, they are doing that. As to specific laws that are violated, I think I will leave that to the law enforcement professionals to answer that question, but it is certainly something that whenever you go in an manipulate a system in order to gain access that you’re not allowed to have permission to access, that is a violation of the security that we want to have in place on these systems and it would be a violation of the law as well, I would think.”

Questioning further, Millar asked Hutchinson, if a member of the public sees a vulnerability shouldn’t they report it?

“The question is, do you see a vulnerability? or did you find a vulnerability? I think we’ll let the investigation speak for itself on those points,” Hutchinson said.