The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
45°F
Current Conditions
Clear sky
View complete weather report
Subscribe now

Security breach exposes personal information for more than a million people who filed unemployment claims in Washington

By Laurel Demkovich (509) 416-6260

OLYMPIA – A security hack of state data exposed the personal information of perhaps more than a million people who filed for unemployment claims last year, according to a news release from the State Auditor’s Office.

The security incident involved Accellion, a third-party provider that the office uses to transmit files, which alerted the Auditor’s Office in January that a breach on Dec. 25 allowed for unauthorized access to numerous files stored in the system.

The data the Auditor’s Office believes was affected includes personal information of people who filed for unemployment claims in 2020, including the person’s name, social security number, driver’s license or state identification number, bank information and place of employment. This group includes many state employees, as well as people whose identity was used to file fraudulent claims as part of a larger breach at the Employment Security Department in early 2020.

“I want to be clear: This was an attack on a third-party service provider,” State Auditor Pat McCarthy said in a news release. “The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident.”

The Auditor’s Office was in the process of performing an audit on the Employment Security Department, which experienced a large fraud attack last spring. The files affected in this cyberattack were a part of that audit, McCarthy said.

“It is ironic that this would happen, but that really is the situation,” McCarthy told reporters Monday.

State audits require large files such as this one to be transferred between departments, she said. This audit just happened to be more voluminous than others. Auditors needed information, such as birth dates, banking information and social security numbers, to “accurately understand what happened.” She did not say exactly how that information is used in the audit.

About 1.6 million claims were affected, spokesperson Kathleen Cooper said in a news conference, but that doesn’t mean 1.6 million people were affected, as people can apply for more than one claim.

The data also includes details held by the Department of Children, Youth and Families and nonpersonal financial information from local governments and state agencies. McCarthy said about 100 local governments were affected, and those entities have already been notified. She added the office is still trying to fully understand what data was breached.

A statement from Accellion said a 20-year-old large file transfer product, called FTA, was the target of the cyberattack. The company said it notified its customers “promptly” on Dec. 23, but McCarthy said she was not made aware until Jan. 12. The office then immediately began an investigation to determine which files were compromised.

McCarthy said the office had used Accellion for 13 years, but was switching from Accellion’s 20-year-old product to kiteworks, a newer secure file transfer tool, from the same company when the breach happened. The office ended its use of the older product on Dec. 31.

Accellion had been urging customers to switch to the new product for the past three years, according to the statement. The Auditor’s Office didn’t decide until last summer to begin the process, Cooper said.

The latest release of the old product has addressed all vulnerabilities, said Frank Balonis, chief information security officer, in a statement.

“Future exploits, however, are a constant threat,” his statement read. “We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks. We remain committed to assisting our FTA customers, but strongly urge them to migrate to kiteworks as soon as possible.”

McCarthy said she had no indication the old product was not secure, only that it was time to phase out of using it.

“We believed we were getting a secure system,” she said. “We expect that and the citizens of Washington should expect that.”

The office is currently evaluating other tools and protocols for sharing data files in the future, according to a release.

It was unclear as of Monday how exactly the data that was stolen was used, McCarthy said. The office has notified law enforcement and the Attorney General’s Office to aid in the investigation. She did not know if any identities were compromised or money was stolen.

The Auditor’s Office is working to identify the people who were affected and will notify them as soon as possible. People can also visit the auditor’s office website for more information on the breach.

Lawmakers said Monday they were working to see if there is anything they could do, such as pass legislation improving cybersecurity measures. Rep. Pat Sullivan, D-Covington, told reporters they will move forward.

Sen. Andy Billig, D-Spokane, said if there are things the Legislature could do in the future, they would.

“This was already illegal,” he said. “This is a breach, a hack.”

Laurel Demkovich's reporting for The Spokesman-Review is funded in part by Report for America and by members of the Spokane community. This story can be republished by other organizations for free under a Creative Commons license. For more information on this, please contact our newspaper’s managing editor.