The Office of the Washington State Auditor (SAO) is inspecting a security incident after unemployment claims data of over 1.4 million Washington state residents were exposed in a third-party data breach. State Auditor Pat McCarthy attributed the data breach to a third-party software vendor Accellion, whose services are used by SAO to transfer digital files.
“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens,” McCarthy said in a news report.
Accellion’s Software – The Culprit Again!
Accellion, a provider of hosted file transfer services, confirmed that an unauthorized threat actor obtained access to SAO files in late December 2020 by exploiting a vulnerability in Accellion’s file-transfer service.
The SAO stated that data files from the Employment Security Department (ESD) were impacted, which contained unemployment compensation claim information, including the names, social security numbers, driver’s license or state identification numbers, bank account numbers, bank routing numbers, and place of employment. All the residents who have filed for unemployment benefits with the SAO between January 1 to December 10, 2020, were impacted by the security incident. Besides, the compromised files include the personal data of other Washington residents who have not yet been identified but whose information was with the state agency.
The security incident is under Accellion’s investigation and reported to the law enforcement authorities for further probe. “At this time, SAO does not have enough information to conclude the timing or full scope of what took place. It was not until the week of January 25, 2021, that Accellion confirmed to SAO that SAO files were subject to this attack and provided the information needed for SAO to begin to identify which data files were impacted, and individuals whose personal information is in those files,” SAO said.
One Software Multiple Attacks
Other government agencies that used the Accellion software service have also been similarly impacted by outsider intrusions. Recently, the Australian Securities and Investment Commission (ASIC) became aware of a security incident that affected one of its servers used to transfer files like credit license applications. The securities regulator stated that the security incident occurred due to a vulnerability in Accellion’s file-sharing software, used by New Zealand’s Reserve Bank that also faced a cyberattack earlier.