By Kenny Choi and Abby Sterling, KPIX 5
SAN FRANCISCO (CBS SF) — Imagine discovering one day that your bank account has been hijacked by an imposter who has stolen all your money. It’s the latest twist in a hacking epidemic involving unemployment debit cards that KPIX 5 was first to expose last fall.READ MORE: Bay Area Health Workers Cheer Newly-Approved 1-Shot Johnson & Johnson Vaccine
Instead of stealing the benefits in cash at ATMs as we have been reporting for months, some fraudsters are literally hijacking victims’ accounts and transferring the funds to themselves.
“I feel it’s very invasive. I feel violated,” said Michelle Barrionuevo Mazzini.
“My identity is being hijacked!” said Linda Kucma.
RELATED: KPIX EDD Fraud Special Section
Kucma and Barrionuevo-Mazzini have never met each other, but they have a lot in common right now. Their EDD debit card accounts at Bank of America recently got hijacked.
Barrionuevo-Mazzini found out while pumping gas.
“I was able to pump maybe probably around $9.50. And then the pump stopped on me,” said Barrionuevo-Mazzini.
She called the number on the back of her Bank of America debit card and got a rude surprise.
“It said I was locked out,” Barrionuevo-Mazzini said.
Surprise turned into shock when she finally got through to Bank of America’s fraud department.
“They were able to confirm that the email in the account was not my email,” said Barrionuevo-Mazzini.
And the routing number was not “her” routing number. It was the fraudsters’.
“They had removed my bank account information. They had put their routing information, their bank account,” she told KPIX 5.
Someone had hijacked her account and stolen everything in it, altogether $7500 dollars.
Same thing happened to Kucma. She found out when she went online to pay a bill.
“I was at zero and I knew something was wrong immediately,” said Kucma.
She says after hours on the phone to file a claim, a bank employee confirmed her worst fear: A fraudster was impersonating her and had drained $3,000 dollars from her account.
“This person literally got into my profile, changed my email, similar to you, Michelle. Then they had the nerve to go ahead and set up a complete transfer,” said Kucma.
“Basically it’s an account takeover,” said certified fraud examiner Steve Morang. “If, in fact, they were able to get the EDD recipients’ personal identifiable information, we call it PII, which would include name, birth, date, social, address, then they’re able to go in and basically impersonate you.”
The routing number for both Barrionuevo-Mazzini and Kucma is the same: It traces to Sutton Bank in Ohio.
From there, in Kucma’s case, the money was then transferred into a “cash app” account.READ MORE: Antioch Gas Station Shooting Leaves Man Suffering Life-Threatening Injuries
“What the fraudster wants to do is he just wants to get more and more steps away from you with that money. Once money has been out of an account for more than 48 or 72 hours it’s almost impossible to retrieve that money,” said Morang.
Morang suspects in these cases the personal identifying information came from EDD, because the victims are all EDD claimants.
“This data breach could have happened six months ago, a year ago, two years ago,” Morang said. “It doesn’t matter because your information will never change. It has a very long shelf life.”
A former job placement worker we spoke to suspects the same. We agreed not to reveal his identity. He says 15 years ago he worked for an EDD partner agency that helped people find jobs.
“We were trained to access the EDD databases, employment databases to verify the information provided by the jobseekers,” the former worker told us.
He says everyone at the non-profit had logins that allowed full access.
“It was obvious then that if they’re giving partner agencies that much free reign of their databases, that this was a problem,” said the former job placement worker.
KPIX 5 asked him what kind of information he was talking about. His response: “The top of the heap, social security numbers, home addresses, account numbers.”
A few years ago he came across his old login, and tried it back then, out of curiosity. He told us it was still active.
“I’m seeing the same thing I was able to see when I worked for the agency, just full access to personal information of the people who were registered for jobs services with the Employment Development Department,” said the former job placement worker.
That open access is exactly what Barrionuevo_Mazzini and Kucma have feared, leaving them in a constant state of anxiety.
“You had your bank information there. I did. And our full names and our personal addresses. Kenny, they’re able to see all of that at this time,” said Barrionuevo_Mazzini.
After KPIX 5 gave Barrionuevo_Mazzini’s name to Bank of America she got all her money back.
As for Kucma, Bank of America gave her a provisional credit, but fraudsters struck one more time.
“The person again went into my account, changed my password and took the credit,” said Kucma.
Once again, she got a refund. But that still wasn’t the end of it. In a series of adjustments, the bank took all her money back and more. Her account is now negative more than $17,000.
“It’s a completely different treatment that EDD clients are getting right now. And it’s not right because those are the people who are really suffering and they should be taken care of,” said Kucma.
Both women are now switching to paper checks. They say they’re not leaving anything in Bank of America any more, because they just don’t trust it.
EDD meanwhile denies the former job placement worker’s allegations.
In an email to KPIX, spokesperson Loree Levee says: “Staff, including an employee with a community based organization that may have been working with EDD and/or our local partners on job search activities, would only be interacting with our online labor exchange CalJOBS system, not our main EDD database. And they would only have access to the last four digits of the SSN in CalJOBS, NOT the full SSN or other Personal Identifying Information.”
KPIX tried to contact Sutton Bank and got through to a customer service representative after a long wait. She put the call on hold, then hung up.MORE NEWS: Hundreds Rally in San Mateo to Denounce Violence Against Asian Americans
In a statement from Bank of America’s Bill Halldin, he said: “In our business, we refer to these as “account takeovers” – where someone has been able to gain access to an account. We haven’t seen it much in the context of the unemployment program.”