In a tough pandemic environment, many Americans have been depending on state benefits to get by. 1.6 million unemployment claimants in the state of Washington may have just received an identity theft headache in addition to their UI checks. A hack of a third-party vendor that handles high-volume data transfers for the State Auditor’s office has exposed extremely sensitive personal information for potentially all of those that filed for unemployment in 2020, including Social Security and bank transfer numbers.
Breach of Washington State Auditor vendor’s software exposes unemployment information
Though 1.6 million records were exposed in the data breach, the State Auditor’s office estimates that about 1.47 million state unemployment claimants are impacted due to multiple applications. The breach impacts anyone who filed a claim in Washington between January 1 and December 10, 2020.
The hack originates with the breach of Accellion, a software provider the State Auditor’s office uses to transfer large computer files. The auditor has apparently been using an older Accellion product called FTA, which has been available for two decades now. Accellion discovered that FTA was breached in December; the company revealed that 50 other customers were impacted in addition to the State Auditor.
The two organizations were quick to point fingers at each other. Accellion called FTA a “legacy” product and indicated that the State Auditor’s office was in the process of upgrading to its current “kiteworks” system. Accellion claimed that FTA “just wasn’t designed for” modern threats. State Auditor Pat McCarthy said Monday that the agency had been paying for a subscription to FTA for 13 years and expected a “secure system,” claiming that FTA had never issued any security warnings for the product.
The more than 1.4 million Washingtonians involved likely care less about assignment of blame than they do about what exactly happened to the trove of sensitive personal information that was exposed: Social Security numbers, bank account and routing numbers used for deposits, driver’s license and state identification numbers, and places of employment along with full names and physical addresses. Enough information was provided to enable skilled criminals to extract money directly from bank accounts, likely forcing over a million state unemployment claimants to change their account numbers and adopt credit protection measures during a tough financial period.
Chris Hauk, consumer privacy champion for Pixel Privacy, feels that the State Auditor should be held responsible for failing to keep up with security best practices. He also notes that even if they change bank account numbers and obtain credit monitoring, the unemployment claimants will likely be facing further probing and scam attempts in the near future: “While it is not unusual for government agencies to use outdated systems due to budgetary constraints, using a 20-year-old legacy system like the one that was breached is inexcusable. At the very least, available software packages that are intended to fix the vulnerability should have been put in place … As for the 1.4 million Washington state unemployment claimants … this opens them up to further intrusion into their private information. Washington state unemployment users will need to be on the alert for phishing emails, snail mails, texts, and phone calls, all designed to extract more personal information from unwitting victims.”
Paul Bischoff, privacy advocate with Comparitech, took the opposite view of the debate: “Accellion is a widely-trusted cybersecurity company used by several big organizations in the public and private sector. Although Accellion claims the auditor’s office used a legacy product and that it encouraged an upgrade, the report doesn’t state whether that legacy product had reached end-of-life status. If Accellion still officially supported the product, then it should not try to shift blame. If the product has reached end of life, then the auditor’s office shoulders the responsibility for not moving on to a supported product. The most pressing question right now is who else uses the same legacy product? Are they all vulnerable to attack? This breach could have serious ramifications for a number of big, important organizations that hold sensitive data.”
Breach may extend beyond unemployment claimants
The millions of unemployment claimants may well not be the only victims of the State Auditor’s Office breach. The Accellion software services were used by the office for more than just unemployment claims; they were used for any situations in which very large volumes of data (quite often personal information) needed to be transferred. In the case of the unemployment claimants, the data that was breached was actually being used in a fraud investigation. The State Auditor’s office conducts many such investigations involving some 25 state agencies and 100 local government offices. McCarthy confirmed that some data belonging to these other agencies may have been exposed. The State Auditor’s office is the only agency in Washington that uses the compromised FTA software.
The blow to the unemployment claimants comes in the midst of an investigation into Washington’s Employment Security Department (ESD), the agency that manages unemployment benefits. McCarthy publicly rebuked former ESD Commissioner Suzi LeVine in late 2020 for hindering the State Auditor’s investigation into how hundreds of millions of dollars in pandemic relief funds were lost to fraudulent claims. Fraudsters are estimated to have bilked the state for nearly $600 million, $356 million of which has since been recovered. Hundreds of millions appear to have been bilked in the early days of the coronavirus pandemic by a Nigerian crime ring called “Scattered Canary.”
As of this writing, Accellion continues to advertise FTA at its website as an active product that touts “Secure File Transfer” and “Secure 3rd Party Content Communication.” However, scrolling down a bit does display a notice that the product will reach its end of life on April 30 and subscription renewals will not be available after that date. The issue that caused this breach (reportedly an SQL injection flaw) was patched within 72 hours according to a company press release, but it is unclear for how long the breach window was open.