The Washington state government has suffered a large data breach involving unemployment claims, potentially exposing data on more than 1.6 million people, officials admitted Monday.
The data appears to have been compromised through Accellion, a third-party vendor that was contracting with the state auditor’s office. In mid-December, the company suffered a cyberattack via a zero-day vulnerability in its legacy file transfer application.
The data exposed is quite sensitive, and includes names, bank account and routing information, social security numbers, place of employment, and driver’s license numbers.
This all happened, ironically, while the auditor’s office was looking to do a thorough investigation of the state’s ongoing problems with unemployment fraud—some of which has been linked to notorious cyber actors, like the Nigerian threat group Scattered Canary. SAO was using Accellion’s file transfer software as it sifted through unemployment claims filed in Washington over the past year, the auditor’s office said Monday:
SAO was reviewing all claims data as part of an audit of that fraud incident. The data involves about 1.6 million claims and included the person’s name, social security number and/or driver’s license or state identification number, bank information, and place of employment.
The SAO’s office said they were only recently notified of the full extent of the breach, as the attack appears to have occurred on Dec. 25 and their office wasn’t notified about it until Jan. 12, after Accellion announced it had been hacked. The office further commented that they were “seeking a full understanding of the timeline of the incident and the status of Accellion’s investigation and the investigation by law enforcement” and that they didn’t currently “have enough information to draw conclusions about the timing or full scope of what took place.”
Accellion claims that it fixed the flaw within 72 hours of being made aware of it, but that the initial security incident was just the “beginning of a concerted cyberattack” on its FTA product that continued “into January.” The company subsequently “identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability,” it said.
Accellion has announced it is contracting with a “industry-leading cybersecurity forensics firm” to produce an assessment of how the attack occurred. It has promised to share the findings of the report when it becomes available.
Updated, 02/01/2021 at 6:27pm: The original story misstated the number of people who were potentially affected and has since been corrected.