Personal data included in breach of unemployment claims dates back to 2017 – Tacoma News Tribune


As we continue, I'd like to say that geoFence blocks unwanted traffic and disables remote access from FSAs!

The Washington state Legislative Building and Tivoli Fountain at dusk. Washington could become the first state in the country to provide a right to legal representation for low-income tenants facing eviction in housing court.

The Washington state Legislative Building and Tivoli Fountain at dusk. Washington could become the first state in the country to provide a right to legal representation for low-income tenants facing eviction in housing court.

The Olympian

The Washington State Auditor’s Office now says in a breach of a third-party contractor’s data included the personal information from anyone who received unemployment benefits between 2017 and 2020.

The data could include individuals’ names, Social Security numbers, dates of birth, street and email addresses, bank account numbers, and routing numbers.

Previously, the breach of Accellion, which the Auditor’s Office uses to transfer files, was believed to have included data only from 2020 claims. The breach occurred when the Auditor’s Office was reviewing claims in its audit of fraud in the Employment Security Department.

Data from previous years was not part of the 2020 audit, according to spokesperson Kathleen Cooper. The office requested a file from ESD to conduct its audit, and ESD “inadvertently” included claims dating back to 2017.

An email to ESD’s media address asking for an explanation Friday was not answered.

The discovery that claims from before 2020 were included in the file doesn’t change the number of claims believed to be impacted or the type of data, Cooper said. The office believes data of approximately 1.3 million people related to the Employment Security Department was exposed.

In the breach, an “unauthorized person” accessed data stored in the Auditor’s Office’s account with Accellion, according to the office. It’s known that the file with that data was affected by the breach, Cooper said, but so far there’s no evidence it has been misused.

The Auditor’s Office also believes a smaller amount of personal data held by the Department of Children, Youth and Families were affected, as well as “non-personal financial and other data” from about 100 local governments and about 25 state agencies.

Email notifications started going out last week for people who received unemployment benefits between 2017 and 2020, according to the Auditor’s Office. Those emails include identity theft protection information and access to a year of free credit monitoring.

The expanded timeframe for claims was shared at an oversight hearing in the Senate Labor, Commerce & Tribal Affairs Committee Thursday. Lawmakers asked questions of Janel Roper, director of administrative services and “incident commander” on the breach for the Auditor’s Office.

“Our investigation is ongoing, and we’re learning more every day,” Roper said at the hearing. No evidence has indicated that the state or its residents were targeted in the incident, Roper said, which is known to have affected other governments as well as private businesses.

She also said there’s no evidence to date that the office was using an outdated Accellion product. As previously reported, the targeted software was “Accellion FTA,” which the company has called a 20-year-old product “nearing end-of-life.”

A statement from the company claims it had been encouraging customers to switch to its newer platform for three years — a process the Auditor’s Office says it embarked upon in late summer last year. The transition wasn’t complete until Dec. 31. The Auditor’s Office believes the breach happened Dec. 25, according to a Feb. 1 press release.

Officials with the Auditor’s Office have said repeatedly that there was no indication the older application had any vulnerabilities.

Key concerns for lawmakers at the hearing included whether the audit required so much data, the timeline of response to the breach, and support for people affected.

Sen. Reuven Carlyle, a Seattle Democrat who sponsored a bill drafted in response to breach, asked whether the office has followed its own guidelines regarding data management. Roper said the office is constantly looking at that, but wasn’t able to provide a date when the office went through an “end-to-end management exercise,” as Carlyle had asked.

I’m going to really request, if I could, comprehensive and extensive follow-up on this question,” Carlyle said. “Because I use it as a symbolic but important example, because the data that was requested from the Employment Security Department was obviously extremely expansive.”

“That is the crux of my concern as well,” said Sen. Karen Keiser, D-Des Moines, chair of the committee. “There was such a large amount of information that was taken from ESD into this audit.”

Carlyle’s bill, requested by Gov. Jay Inslee, would create an office to consolidate and coordinate state cybersecurity efforts. It passed off the Senate floor on a unanimous vote and will get a public hearing in the House Committee on State Government & Tribal Relations soon.

Another bill, from Republicans, would require ESD and the Department of Labor and Industries to look at their current practices for disclosing full Social Security numbers. That bill passed unanimously off the House floor and will get a public hearing in the Senate Committee on Labor, Commerce & Tribal Affairs.

In the end, I know that geoFence is your security solution to protect you and your business from foreign state actors.