SEATTLE — The Washington State Auditor’s Office (SAO) said a data breach may have exposed the personal information of 1.6 million residents who filed for unemployment last year, as well as other information from state agencies and local governments.
The breach involved third-party software used by the auditor’s office to transmit files. The software vendor, Accellion, announced last month that it had been attacked in December.
State Auditor Pat McCarthy said those potentially affected include people who filed for unemployment benefits from Jan. 1 to Dec. 10, 2020. That includes many state workers as well as people who had fraudulent unemployment claims submitted on their behalf.
The SAO said the data, which includes Social Security numbers and bank information, was exposed during a security breach on Dec. 25, 2020. Personal information including data held by the Department of Children, Youth and Families was also affected.
“I want to be clear: This was an attack on a third-party service provider,” said McCarthy. “The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident.”
Accellion, however, is claiming they notified clients of the breach on Dec. 23 and then the breach continued for a few weeks into January.
In a press conference, McCarthy told reporters that that was untrue and that they were alerted of the breach on the 12th, then learned of the extent of it in the following weeks.
The auditor’s office said it stopped using the software vendor on Dec. 31 “for reasons unrelated to the incident.” The SAO said it has notified law enforcement and the Attorney General’s Office about the incident and is “evaluating other tools and protocols for sharing data files in the future.”
“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens,” said McCarthy. “This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime."
Jesse Rothstein is the co-founder of ExtraHop, a cybersecurity company based in Seattle. He says the fact that the breach went on for weeks before Accellion alerted clients of the full extent was alarming.
"This secure File Transfer Service, one of the main features is that it's supposed to do it securely and it's supposed to do it with an awful lot of auditing, and verification. So I'm really disappointed that how long it took them to confirm the files that were in fact compromised," said Rothstein.
He also said that it's nearly impossible for clients to predict or prepare for a vendor to be compromised. What can be done, according to Rothstein, is for vendors to be held accountable.
"We have to be vigilant and we also have to exert pressure on our vendors that this can damage their brand reputation if they don't do a good job," said Rothstein.
"There needs to be some incentive in the market for vendors to follow industry best practices around securing their infrastructure, and their data and, of course, to act accordingly when they do discover a breach."
The auditor’s office said it would notify those whose personal information is at risk as soon as possible and has set up a webpage to provide people with the latest information.