The Washington administration has suffered a major data breach regarding unemployment claims, potentially exposing information on more than 1.6 million people officials acknowledged Monday.
The data appears to have been compromised by Accellion, a third-party vendor that contracted with the state auditor. In mid-December, the company suffered a cyber attack due to a zero-day vulnerability in its application for the legacy of file transfers.
The data exposed is quite sensitive and includes names, bank account and route information, social security numbers, workplace and driver’s license numbers.
Ironically, this happened while the audit office was conducting a thorough investigation. the state’s ongoing problems with unemployment fraud – some of which have been linked to notorious cyber actors, such as the Nigerian Threatened Canary Threat Group. SAO used Accellion’s file transfer software as it sifted through Washington’s unemployment claims over the past year. the auditors’ office said on Monday:
SAO reviewed all claims data as part of an audit of the fraud incident. The data comprises approximately 1.6 million claims and contains the person’s name, social security number and / or driver’s license or government identification number, banking information and workplace.
G / O Media can get a commission
The SAO’s office said they had only recently been notified of the full extent of the offense, as the attack apparently took place on December 25 and their office was only notified on January 12. after Accellion announced it had been hacked. The office further said that they “want a full understanding of the timeline of the incident and the status of the Accellion investigation and the investigation by law enforcement” and that they do not currently have “enough information to draw conclusions about the timing or extent of what occurred. ”
Accellion claims that it fixed the error within 72 hours be made aware of this, but that the initial security incident was only the ‘start of a joint cyber attack’ on its FTA product that lasted ‘until January’. The company then ‘identified further meetings in the ensuing weeks and quickly developed and released patches to close every vulnerability’, he said.
Other prominent institutions were also affected by this attack, including the major Australian law firm Allens and the Reserve Bank of New Zealand.
Accellion has announced that it centered into an agreement with a “leading corporate forensic cyber security firm” to provide an assessment of how the attack took place. It promised to share the findings of the report when available.
Updated 20/02/2021 at 18:27: The original story misplaced the number of people who may have been affected and has since been corrected.