The Washington government has suffered a major data breach of unemployment claims, potentially exposing data on more than 1.6 million people, officials admitted Monday.
The data appears to have been compromised through Accellion, a third-party provider that contracted with the state auditor’s office. In mid-December, the company suffered a cyber attack through a zero-day vulnerability in its old file transfer application.
The data on display is quite sensitive and includes names, bank account information and routing, social security numbers, employment and driving license numbers.
It all happened, ironically, as the auditor’s office sought to conduct a thorough investigation. the ongoing problems of the state unemployment fraud – some of which have been linked to notorious cyber actors such as the Nigerian scattered Canary Islands threat group. SAO has been using Accellion file transfer software since it went through unemployment claims filed in Washington in the last year, said the auditor’s office on Monday:
The OAS examined all complaint data as part of an audit of the fraud incident. The data involved approximately 1.6 million damages and included the person’s name, social security number and / or driver’s license or state identification number, bank information and place of work.
G / O Media may receive a commission
The SAO Bureau said that it had only recently been notified of the full extent of the breach, as the attack appeared to have taken place on 25 December, and their office had not been informed of this until 12 January, after Accellion announced it had been hacked. The bureau further commented that it “seeks a full understanding of the timing of the incident and the status of the Accellion investigation and the investigation by law enforcement” and that they currently “do not have sufficient information to draw conclusions about the timing or purpose of what happened. had place. “
Accellion claims that fixed the defect within 72 hours to be aware of this, but that the initial security incident was only “the beginning of a concerted cyber attack” on its free trade product that continued “until January”. The company “subsequently identified exploits in the coming weeks and quickly developed and released patches to close each vulnerability,” she said.
Other prominent institutions were also affected by this attack, including the great Australian law firm Allens and New Zealand Reserve Bank.
Accellion announced that it is cengaging with an “industry-leading cyber security firm” to produce an assessment of how the attack took place. He promised to share the conclusions of the report when it becomes available.
Updated, 01/02/2021 at 18:27: the original story incorrectly indicated the number of people who were potentially affected and has been corrected since then.