Georgia is paying hackers thousands of dollars to break into a system that millions use to access assistance programs like food stamps and Medicaid, and they’ve already uncovered dozens of gaps, according to the Department of Human Services.

Georgia is believed to be the first state in the nation to offer a “bug bounty” on a benefits management portal. Hackers are paid a one-time reward if they find a tech glitch in the Georgia Gateway portal.

So far, hackers have found about 30 vulnerabilities in the system, and the state is in the process of fixing all of them.

The stakes are high when it comes to protecting benefit management systems, which contain the private data of any Georgian using one of the safety net programs. If unfriendly hackers were to break into the Gateway system, they could steal personal information that could be used to steal identities and the state could face expensive fines from regulators.

When DHS launched the hacker bounty program, Chris Apsey, a cybersecurity expert with DHS, said the initiative would help protect tax and health information for state residents.

The initiative comes after some Georgians who receive benefits had reported their Gateway accounts were compromised and money stolen from them following the rollout of the state’s $350 cash assistance payments last fall. The Georgia Bureau of Investigation, the state Attorney General and DHS are working together to investigate.

But DHS has said the reports of fraud are likely tied to information leaked in other, unrelated data breaches, which was then used against individual recipients. Apsey made it clear there’s no evidence Gateway has been hacked by bad actors.

“Of course it’s always possible, which is why we’re doing this program to make sure that we are one step ahead,” said Apsey.

Problems hackers uncover with the system here could exist in other states. Financial vendor Deloitte, which designed the Gateway system, has also provided similar systems to other states.

Apsey said that the state has relayed each finding to the federal government and Deloitte.

Karen Walsh, a spokesperson for Deloitte, said that she could not comment on particular systems, but said the company is always working to improve its security measures.

Walsh wrote in an emailed statement, “We work collaboratively with the State of Georgia and other clients to constantly enhance the security of our systems, respond to ever-changing cyber threats, and fortify system protections as issues are identified.”

DHS partnered with the cybersecurity company HackerOne to find hackers with the technological chops to find loopholes in the state’s system.

Since the initiative launched on March 29, the state has already paid out its entire prize pool of $200,000. The federal Centers for Medicare & Medicaid Services is covering 90% of the program costs. Payouts range from $350 for finding smaller glitches to $25,000 payouts for locating a major issue.

Among some of the key findings:

  • One hacker found a way into the inner-workings of the Gateway system and posted an announcement that had malicious code in it. In about an hour, that hacker took over approximately 100 workers’ computers on the state network.
  • Another hacker found a bug that would have allowed a bad actor to pull every record in Gateway, including all personal information from people who are in the system.
  • A loophole was uncovered that would allow a hacker to take over any account on Gateway from a customer portal account.

While paying hackers to find vulnerabilities in a system may sound odd, it’s actually a common practice in the world of cybersecurity. The program allows the state to crowdsource a “a really valuable position that state governments oftentimes can’t afford,” said Apsey, who serves as the assistant deputy commissioner for Strategic Technology Innovation.

DHS said it is in the process of adding another $300,000 in reward money to keep testing the Gateway system. Data leaks can have huge repercussions, Apsey said, and so the state wants to do all it can to avoid that outcome.

“It’s just not a situation that we want to put any of our constituents in,” he said. “And so it’s just a very different beast in terms of the level of attention and overall security that the system requires.”

This story was jointly reported by Axios and the AJC, which are both owned by Cox Enterprises.