Washington State Auditor's Office Breached and 1.4 Million Unemployment Claimants Exposed

Posted on by Dawna M. Roberts in News February 15, 2021

According to the Seattle Times yesterday, the Washington state auditor's office suffered a major data breach back in December, when hackers broke into the software the office uses for claims. Attackers made off with 1.4 million unemployment claimants' information.

This significant data breach exposes these victims to identity theft, fraud, and other forms of abuse.

What Happened?

The Washington state auditor's office uses Accellion software to record all unemployment benefits for claimants. According to the Seattle Times,

"State Auditor Pat McCarthy said Monday the records — including Social Security numbers and banking information — were exposed during a December breach of  Accellion, a software provider the auditor's office uses to transfer large computer files."

Ironically, the data stolen had been collected during an investigation into why the state lost $600 million in fraudulent unemployment claims. There is a lot of criticism around the auditor's office collecting so much personal information and storing it in a location that was vulnerable.

The data breach involved a legacy product known as FTA, which is more than 20 years old and not designed to protect customers against these types of attacks. The auditor's office was in the process of upgrading to a newer product called kiteworks when the attack occurred. McCarthy commented that "We believed that we were getting a secure system, and we expected that — and the citizens of Washington state should expect that as well."

She also responded to questions about whether or not there were any indications this software was vulnerable before the attack "Absolutely not. We had no indication, no indication that this product was not secure."

How Did the State auditor's Office Respond?

Washington state has set up a website where residents can check to see if they are part of this particular data breach.

McCarthy issued a public statement saying that "I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens." She is expected to hold a media conference today to answer any questions and provide further details on the incident.

The company Accellion issued a security patch directly after the attack and rolled it out to each of their 50 customers.

What Now?

The biggest fear is using the information stolen; threat actors can drain the funds left in anyone's account and wage further attacks through phishing emails, scam phone calls, and other social engineering tactics. The only way to be sure their funds are protected, is for claimants to change their account numbers.

The Seattle Times said that "The auditor's office said the breach affects personal information of people who filed for unemployment claims with ESD between Jan. 1, 2020, and Dec. 10, 2020, and included a total of 1.6 million claims. Those claims represent at least 1.47 million individuals, according to data from the ESD website. (Because there are multiple unemployment programs, a single claimant can file multiple times.)"

Because the data breach involved social security numbers, driver's license numbers, and bank account information, this poses a severe risk of financial loss for the victims.

Victim Recourse

When using third-party resources, there is always the additional risk of exposure. Some things that claimants and victims of this particular issue can do to protect themselves are:

  • Visit the auditor's website to see if your details were included in the breach.
  • Contact your bank and change your bank account numbers.
  • Contact all three credit reporting agencies and report the breach.
  • Set up a credit freeze to prevent any further damage.
  • Change all passwords for financial accounts, including the state auditor's office account.
  • Keep a close eye on all bank accounts for the next few months.
  • Watch out for phishing emails and scam calls.
About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!