The Washington state government has suffered a major violation of unemployment claims data, which may have exposed data on more than 1.6 million people, officials admitted Monday.
The data appears to be compromised through Accellion, a third-party vendor that was contracting with the state audit. In mid-December, the company suffered a cyberattack through a zero-day vulnerability in its legacy file transfer application.
The data on display is quite sensitive and includes names, bank and routing information, social security numbers, workplace and driver’s license numbers.
All of this happened, ironically, while the audit was trying to do a thorough investigation the ongoing problems of the state with unemployment fraud, some of which have been linked to notable cyber actors, such as the Nigerian scattered Canary Islands threat group. SAO used Accellion’s file transfer software as it examined unemployment claims filed in Washington over the past year, said the audit room on Monday:
SAO was reviewing all claims data as part of an audit of this fraud incident. The data includes approximately 1.6 million claims and includes the person’s name, social security number and / or driver’s license or state identification number, bank information, and job location.
G / O Media may receive a commission
The ODS office said they were recently notified of the full extent of the offense, as it appears the attack took place on December 25 and their office was not notified until 12 p.m. January. after Accellion announced he had been hacked. The office further commented that “they were seeking a full understanding of the chronology of the incident and the state of Accellion’s investigation and investigation by law enforcement” and that they currently “did not have enough information to draw conclusions about the scope of what took place. “
Accellion states that fixed the defect in 72 hours to be made aware, however, that the initial security incident was only the “beginning of a concerted cyberattack” on its FTA product that continued “until January.” The company “subsequently identified additional gestures in the following weeks and quickly developed and released patches to close each vulnerability,” he said.
Other prominent institutions have also been affected by this attack, including the large Australian law firm Allens i the Reserve Bank of New Zealand.
Accellion has announced that it is the ccontracting with a “leading cybersecurity company in the cybersecurity industry” to produce an assessment of how the attack occurred. It is committed to sharing the findings of the report when available.
Updated, 01/02/2021 at 18:27: The original story incorrectly indicated the number of people potentially affected and has since been corrected.