The Washington state government suffered a major data breach involving unemployment insurance claims, potentially exposing data for more than 1.6 million people, officials admitted Monday.
The data appears to have been compromised through Accellion, a third-party vendor that was hiring the state’s audit office. In mid-December, the company suffered a cyber attack through a zero-day vulnerability in its legacy file transfer application.
The exposed data is very confidential and includes names, bank accounts and routing information, social security numbers, workplace and driver’s license numbers.
This all happened, ironically, as the auditor’s office sought to conduct a full investigation of the continuing problems of the state with unemployment fraud, some of which have been linked to notorious cyber attackers, like the Nigerian Scattered Canary threat group. SAO was using Accellion’s file transfer software while examining the unemployment claims filed in Washington last year, the auditor’s office said Monday:
SAO was reviewing all complaint data as part of an audit of this fraud incident. The data involves about 1.6 million complaints and includes the person’s name, social security number and / or driver’s license or state identification number, bank information and workplace.
G / O Media can receive a commission
The SAO office said it was only recently notified of the full extent of the breach, as the attack appears to have occurred on December 25 and its office was not notified of it until January 12, after Accellion announced it was hacked. The office further commented that they were “looking for a complete understanding of the incident schedule and the status of the Accellion investigation and law enforcement investigation” and that they currently “did not have enough information to draw conclusions about the timing or scope of what happened . ”
Accellion claims that corrected the fault in 72 hours to be informed of this, but that the initial security incident was only the “beginning of an orchestrated cyber attack” on its FTA product that continued “in January”. The company subsequently “identified additional exploits in the following weeks and quickly developed and released patches to close each vulnerability,” he said.
Other important institutions were also affected by this attack, including the great Australian law firm Allens and the Reserve Bank of New Zealand.
Accellion announced that it is chiring an “industry-leading cybersecurity forensics company” to produce an assessment of how the attack occurred. He promised to share the report’s findings when it becomes available.
Updated 01/02/2021 at 18:27: The original story distorted the number of people who were potentially affected and has since been corrected.