The personal unemployment claims data of 1.6 million residents of Washington may have been stolen following a hack of the software used by Office of the Washington State Auditor, raising fears of fraud and identity theft, officials said on Monday. The security breach, according to state auditor Pat McCarthy, involved third-party software used to store and transfer files that include names, Social Security numbers, banking information and other important personal details.
The Office of the Washington State Auditor has already launched an investigation into the large-scale hack. Interestingly, the compromised data was collected as part of the auditor's investigation into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims.
According to the State Auditor's Office (SAO), the incident took place on December 25 when unauthorized access to numerous files held on the service provider's system occurred. "I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic," McCarthy said in a news release on Monday.
She further said that such an incident is completely unacceptable and involves high risk of compromising with vital personal information of thousands of people. The hacked files contain information like names, Social Security numbers, driver's license numbers, bank information and place of employment of around 1.6 million residents of Washington state.
Those potentially affected include people who filed for unemployment benefits between January 1 and December 10, 2020. Given that the files were collected for an investigation into fraudulent unemployment claims it also includes information about people who had fake unemployment claims submitted on their behalf.
Who is to be Blamed?
The auditor's office stressed that the breach did not originate with ESD, but put the blame on a third party software provider named Accellion, whose services are used to transmit computer files. That said, the Auditor's Office stopped using Accellion's services from December 31 for reasons unrelated to the attack, McCarthy said.
However, the auditor's office has already started working with state cybersecurity officials, law enforcement and others to mitigate the damage. Joel York, chief marketing officer of Accellion, toldThe Seattle Timesthat the product used "just wasn't designed for these types of threats".
York said the company has been encouraging users for years to upgrade to Accellion's newer product, known as kiteworks. The auditor's office was in the process of moving to that product but the data breach happened in between. Apart from the massive exposure of unemployment claims data, also information from 100 local governments and 25 state agencies have likely been compromised in the breach.