The Washington State government has faced a major data breach involving unemployment claims, potentially exposing data on more than 1.6 million people officials admitted Monday.
The data appears to have been compromised by Accellion, a third-party vendor contracted with the state accountant’s office. In mid-December, the company received a cyber attack via a zero-day vulnerability in its old file transfer application.
The exposed data is quite sensitive and includes names, bank account and routing information, social security numbers, location and driver’s license numbers.
This all happened, ironically, while the accountant’s office wanted to conduct a thorough investigation the continuing problems of the state with unemployment fraud – some of which have been linked to notorious cyber actors, such as the Nigerian threat group scattered canary. SAO used Accellion’s file transfer software to search unemployment claims filed in Washington during the past year, the accountant’s office said Monday:
SAO reviewed all claim data as part of an audit of that fraud incident. The data includes approximately 1.6 million claims and includes the person’s name, social security number and / or driver’s license or state identification number, bank details and place of employment.
G / O Media can receive a commission
The SAA’s office said they had only recently been made aware of the full extent of the breach, as the attack appears to have occurred on December 25 and their office was not informed of it until January 12. after Accellion announced it had been hacked. The office further noted that they “sought a full understanding of the timeline of the incident and the status of Accellion’s and law enforcement investigations” and that they currently “did not have enough information to draw any conclusions about the timing or complete magnitude of what took place. “
Accellion claims that it solved the error within 72 hours but that the first security incident was only the “start of a coordinated cyber attack” on its FTA product that continued “into January”. The company then identified “additional exploits in the following weeks and quickly developed patches to address each vulnerability,” it said.
Other prominent institutions have also been affected by this attack, including the large Australian law firm Allens and the Reserve Bank of New Zealand.
Accellion has announced that it will cConsulting with a “leading cybersecurity forensics company” to assess how the attack occurred. It has pledged to share the report’s findings when it becomes available.
Updated, 1/2/2021 at 6:27 PM: The original story misrepresented the number of people who may have been affected and has since been corrected.