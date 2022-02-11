By Paul Roberts Seattle Times

Investigators now believe that hackers stole at least some of the Social Security numbers and other sensitive personal data of 650,000 current and former Washington state professionals and business owners during a breach of a state database, Department of Licensing officials confirmed Friday.

The breach, which was detected Jan. 24 and disclosed last week, affected personal data in active, expired, revoked or suspended licenses for 23 of the 39 professions and businesses that require state licensing. Affected data included such information as Social Security numbers, driver’s license numbers, and dates of birth. Data from the department’s driver’s license system wasn’t affected, agency officials said.

“Based on our investigation, (Department of Licensing) has sufficient reason to believe the Professional and Business Licensing System was accessed and records were acquired without authorization,” the agency said in an updated statement on its website.

Investigators still haven’t determined whether the potential breach occurred within the agency, in the database or in some other part of the data system, said agency spokesperson Nathan Olson. The database is maintained by Salesforce, a San Francisco software company.

The agency will begin notifying individuals who were potentially affected by the breach and providing them with credit monitoring and identity theft protection.

The Department of Licensing’s main online licensing portal, known as Polaris, has been shut down since Jan. 24, but the agency is now offering limited renewal services for businesses and professionals with expiring licenses.

Agency officials had initially said that the breach might have exposed the data of at least the 257,000 individuals active licenses in the system, but acknowledged that the full number was likely larger. Friday’s estimate grew to 650,000 because it included individuals with nonactive licenses, and also because a single business license can include information for multiple individuals, Olson said.

Friday’s announcement confirms what many outsiders already suspected: that personal information in a massive database wasn’t merely exposed during the breach, but in at least some cases had been taken and potentially made available for sale on the “dark web,” an anonymized section of the World Wide Web accessed through special software. Stolen personal data is often traded there for use in impostor fraud and other illicit activities.

As early as late January, some individuals with business licenses in Washington said they had received notifications that some of their personal information had been detected on Jan. 24 on the dark web.

On Monday, a Salesforce spokesperson said that, “at this time, we have no evidence of a vulnerability inherent to the Salesforce platform.”

Also unclear is whether the breach occurred Jan. 24 or if that is simply when the state Office of Cybersecurity became aware of the breach after detecting “chatter” on the dark web about “accessed” personal data from Department of Licensing.

The breach remains under investigation by the state Office of Cybersecurity, the state Attorney General’s Office and a third-party cybersecurity firm, CrowdStrike, Department of Licensing officials said.