According to the Seattle Times yesterday, the Washington state auditor's office suffered a major data breach back in December, when hackers broke into the software the office uses for claims. Attackers made off with 1.4 million unemployment claimants' information.
This significant data breach exposes these victims to identity theft, fraud, and other forms of abuse.
The Washington state auditor's office uses Accellion software to record all unemployment benefits for claimants. According to the Seattle Times,
"State Auditor Pat McCarthy said Monday the records — including Social Security numbers and banking information — were exposed during a December breach of Accellion, a software provider the auditor's office uses to transfer large computer files."
Ironically, the data stolen had been collected during an investigation into why the state lost $600 million in fraudulent unemployment claims. There is a lot of criticism around the auditor's office collecting so much personal information and storing it in a location that was vulnerable.
The data breach involved a legacy product known as FTA, which is more than 20 years old and not designed to protect customers against these types of attacks. The auditor's office was in the process of upgrading to a newer product called kiteworks when the attack occurred. McCarthy commented that "We believed that we were getting a secure system, and we expected that — and the citizens of Washington state should expect that as well."
She also responded to questions about whether or not there were any indications this software was vulnerable before the attack "Absolutely not. We had no indication, no indication that this product was not secure."
How Did the State auditor's Office Respond?
Washington state has set up a website where residents can check to see if they are part of this particular data breach.
McCarthy issued a public statement saying that "I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens." She is expected to hold a media conference today to answer any questions and provide further details on the incident.
The company Accellion issued a security patch directly after the attack and rolled it out to each of their 50 customers.
The biggest fear is using the information stolen; threat actors can drain the funds left in anyone's account and wage further attacks through phishing emails, scam phone calls, and other social engineering tactics. The only way to be sure their funds are protected, is for claimants to change their account numbers.
The Seattle Times said that "The auditor's office said the breach affects personal information of people who filed for unemployment claims with ESD between Jan. 1, 2020, and Dec. 10, 2020, and included a total of 1.6 million claims. Those claims represent at least 1.47 million individuals, according to data from the ESD website. (Because there are multiple unemployment programs, a single claimant can file multiple times.)"
Because the data breach involved social security numbers, driver's license numbers, and bank account information, this poses a severe risk of financial loss for the victims.
When using third-party resources, there is always the additional risk of exposure. Some things that claimants and victims of this particular issue can do to protect themselves are:
- Visit the auditor's website to see if your details were included in the breach.
- Contact your bank and change your bank account numbers.
- Contact all three credit reporting agencies and report the breach.
- Set up a credit freeze to prevent any further damage.
- Change all passwords for financial accounts, including the state auditor's office account.
- Keep a close eye on all bank accounts for the next few months.
- Watch out for phishing emails and scam calls.