The Washington state government has suffered a large data breach involving claims for unemployment benefits. An unauthorized person was able to exploit a software vulnerability in the file transfer service of Accellion, a third-party service provider. The incident exposed information of at least 1.47 million Washington residents. Other Accellion customers were similarly affected.
Legacy Software Vulnerability Exploited
Mid-December, Accellion, a California-based cloud solutions company focusing on secure file sharing, was made aware of a security vulnerability in one of their legacy software products. The 20-year-old product is meant to securely transfer large data files. Accellion resolved the vulnerability and released a software patch.
However, this initial event was the beginning of a concerted cyberattack. In the weeks that followed subsequent exploits exposed data files of the Office of the Washington State Auditor (SAO). The records belong to close to 1.5 million people who have made a total of 1.6 million unemployment claims in Washington state between January and December 2020.
“SAO is currently seeking a full understanding of the timeline of the incident […]. At this time, SAO does not have enough information to draw conclusions about the timing or full scope of what took place. It was not until the week of January 25, 2021, that Accellion confirmed to SAO that SAO files were subject to this attack”, said the Office of the Washington State Auditor in a statement.
Sensitive Information Exposed
The data files are enormous. The SAO is currently reviewing all impacted files to identify the agencies, types of data and individuals involved. So far, the SAO is certain that data files from the Employment Security Department were impacted. The records include social security numbers and/or drivers’ licenses or state identification numbers as well as banking information.
Personal information of other Washington residents may also be affected, including data from the Department of Children, Youth and Families. The SAO said it will be providing updates. They will also notify the individuals, agencies and local governments affected as soon as possible.
Ironically, the compromised data from the Employment Security Department had been amassed during investigations into fraudulent unemployment claims and payments. Unfortunately, this fraud had slowed down payouts of benefits in times when the need for such payments was unprecedented thanks to the Covid-19-pandemic.
Accellion’s initial press release said only 50 of their customers were potentially affected. The implications, however, are far-reaching. Although initially not linked to Accellion, the Reserve Bank of New Zealand is now known to be one of the victims. They released a statement in mid-January confirming the Bank had been hacked.
A prominent Australian law firm and the Australian Securities and Investment Commission (ASIC) were also impacted by the Accellion cyberattack. This last incident involved unauthorized access to a server that contained documents associated with recent Australian credit license applications.
Accellion said it had been encouraging users to upgrade to their newer product, called Kiteworks. The 20-year-old legacy product “just wasn’t designed for these types of threats”, a spokesperson said. However, Pat McCarthy, state auditor and spokesperson for the SAO, emphasized that the state had been paying an annual subscription fee for the past 13 years. “We believed that we were getting a secure system.”