State Auditor Pat McCarthy said Monday the records — including Social Security numbers and banking information — were exposed during a December breach of Accellion, a software provider the auditor's office uses to transfer large computer files.
In a head-slapping irony, the compromised data had been collected as part of the auditor's investigations into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims.
"I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens," McCarthy said in a statement.
Those burdens could be substantial, experts say. With personal information from the breach, "the fraudsters have everything they need in order to take whatever money is in that account and electronically transfer it to an account that they control," warned Trace Fooshee, a senior analyst and expert in fraud, data security, and money laundering at Aite Group, a financial services consultancy.
ESD claimants can protect themselves, Fooshee added, but "unfortunately, that means changing account numbers."
The auditor's office said the breach affects personal information of people who filed for unemployment claims with ESD between Jan. 1, 2020 and Dec. 10, 2020, and included a total of 1.6 million claims. Those claims represent at least 1.47 million individuals, according to data from the ESD website. (Because there are multiple unemployment programs, a single claimant can file multiple times.)
The auditor's office emphasized that the new breach did not originate with ESD, which has been under scrutiny over questions about its own security measures following last spring's fraud.
ESD officials, meanwhile, asked people who are concerned about their data not to call the agency but to contact the auditor's office with questions.
At an afternoon news conference, McCarthy said her office is working with state cybersecurity officials and that a federal law enforcement investigation is underway.
Steve Bernd, a spokesperson for the FBI, said the bureau is aware of the incident but could not confirm the existence of an investigation.
The data breach involved claimants' names, Social Security numbers and/or driver's license or state identification number, bank information, and place of employment, the auditor's office said.
Joel York, Accellion's chief marketing officer, said in an interview the data breach involved the company's 20-year-old "legacy product," known as FTA, which the company has been encouraging customers to stop using.
"It just wasn't designed for these types of threats," York said.
He said the company has been encouraging users for years to upgrade to Accellion's newer product, known as kiteworks. The auditor's office was in the process of moving to that product at the time of the data breach, he said.
Asked why her office had relied on software Accellion has described as aging and less secure than its newer product, McCarthy said the state paid an annual subscription fee for the service for the past 13 years and relied on it to be safe.
"We believed that we were getting a secure system and we expected that — and the citizens of Washington state should expect that as well," said McCarthy, a Democrat elected to her second term as auditor in November.
The FTA vulnerability was fixed through software patches after the December breach became known to Accellion, a Palo Alto, California-based company.
York said that patch was implemented quickly, but 50 of its customers, including the auditor, were compromised, and attacks on the system continued.
"That's the way things are today. It's cyberwarfare," he said.
McCarthy pushed back on the suggestion that Accellion had issued any security warnings about its systems. "Absolutely not. We had no indication, no indication that this product was not secure," she said.
Experts said the breach highlights the risks of using third-party vendors, which in the past have been targets for hackers, said Marcus Fowler, director of strategic threat at Darktrace, a cybersecurity firm. When agencies hire outside vendors for important data functions, they're also reliant on the vendor's security, Fowler said, and "you don't always know the level of scrutiny that they put into it."
But the breach also raised questions about why the state auditor had requested so much personal information. "Was it truly necessary for the audit of ESD to include all this personal financial data from ESD claimants?" said state Sen. Karen Keiser, D-Des Moines, who chairs the committee with oversight of ESD. "If so, why did the auditor's office not make sure its vendor could be trusted to provide adequate data security?"
Kathleen Cooper, state auditor spokesperson, said the personal data was necessary for the auditor to fully assess how ESD scrutinized unemployment claims for potential fraud before paying them.
McCarthy's office first disclosed what she termed "a security incident" in a statement to The Seattle Times on Friday evening that provided few details on the scope of the breach.
In addition to the massive exposure of unemployment claims data, other information from 100 local governments and 25 state agencies may have been compromised in the breach, McCarthy said Monday. Citing the ongoing investigation, the auditor did not disclose the names of those entities, with the exception of the Department of Children, Youth and Families.
The state auditor's office regularly audits some 2,300 local governments and state agencies, according to McCarthy. Those probes necessarily involve sweeping up massive troves of information, she added.
The auditor's office is the only state agency that reported using Accellion services, according to a list maintained by the state's chief information officer, said Andrew Garber, a spokesperson for WaTech, the state's central tech services agency.
A spokesperson for Gov. Jay Inslee said the governor had spoken with McCarthy "and expressed his deep concern about the data that was exposed by their third-party vendor. As a separately elected statewide official, we understand that they are taking responsibility for this and doing everything they can do address it."
News of the data breach comes nearly nine months after the ESD disclosed that criminals had filed hundreds of millions of dollars' worth of bogus unemployment claims using personal information likely stolen during earlier data breaches.
And it comes barely three months after McCarthy rebuked former ESD Commissioner Suzi LeVine for hindering her office's investigation into the fraud and other problems at ESD.
©2021 The Seattle Times, Distributed by Tribune Content Agency, LLC.