A massive data breach involving the state auditor’s office has left more than a million Washingtonians’ personal information vulnerable to identity theft.
It’s created potential new headaches for unemployment claimants already struggling to pay bills and deal with delays in benefit payments. A full picture of the debacle may take months to emerge, but here are answers to some of the most pressing questions Seattle Times readers have been asking:
How was this data exposed?
State Auditor Pat McCarthy’s office has been investigating how the state Employment Security Department (ESD) lost $600 million to fraudulent employment claims last year. (ESD says it has since recovered $357 million.)
As part of that probe, auditors demanded a trove of claims information from ESD. In December, a vulnerability in a computer file-transfer service used by the auditor’s office — a product of the California tech firm Accellion — allowed unknown people to access that data.
The breached data includes Social Security numbers, driver’s license numbers, bank account numbers and employment information — basically everything a cybercriminal would need to steal someone’s identity.
State officials estimate 1.6 million claims were left vulnerable, involving about 1.4 million people.
Does that include people who had fraudulent unemployment claims filed in their names last year?
Unfortunately, yes. People already victimized last year by fraudulent unemployment claims are among those whose information was also exposed in the new data breach, according to Kathleen Cooper, a spokesperson for the auditor’s office.
Who has the stolen data?
That’s unclear. State officials have only said that the data was accessed by “an unauthorized person.” The incident is under investigation by federal law enforcement as well as the state attorney general’s office and state cybersecurity officials.
Will I be notified if my data was part of this breach?
Yes. The auditor’s office has said it is working on individual notifications but has not yet provided details.
“We do not yet have a firm date on when these will begin. We are working with our insurance carrier on this complex process, and it is Auditor McCarthy’s highest priority,” Cooper said in an email.
Is the state offering free credit monitoring or other protections?
Not at this point. Many people have asked whether the state should provide credit monitoring or other consumer protections — as Equifax did after its infamous 2017 data breach. So far, state officials have not announced specific plans.
The auditor’s website says it “will make resources available to help each affected individual take measures to protect their identity” and will “post that information as soon as it is available.”
What should I do now if I think my data was part of this Accellion breach?
The auditor is directing people to the office’s website, with frequently asked questions and suggested actions: https://sao.wa.gov/breach2021. That site will be continually updated as new information becomes available.
For now, the auditor’s recommendations include:
Obtain a free credit report by visiting annualcreditreport.com
Consider placing a fraud alert on your credit report.
Review financial account statements and report any suspicious activity to your bank or credit union.
Report any suspected identity theft to the state Attorney General’s Office, law enforcement and/or or the Federal Trade Commission’s IdentityTheft.gov.
Who is responsible for this screw-up?
McCarthy has pointed the finger at Accellion. The company’s supposedly secure file-transfer product was compromised due to a vulnerability.
McCarthy said her office had been using the service, called FTA, for 13 years and was paying $17,000 annually for it.
An Accellion executive, Joel York, said the firm had been encouraging customers for years to upgrade to its newer, more secure transfer product, kiteworks. The auditor’s office was in the process of moving to that new service when the hack occurred.
Ultimately, Washington voters will get to decide whether to hold McCarthy accountable. As state auditor, she is an independent statewide elected official who does not report to the governor.
McCarthy, a Democrat, is a former Pierce County executive who was elected to a second term in November — before the data breach.
Did McCarthy’s office really need to gather detailed personal information to conduct its probe of ESD?
State legislators of both parties are raising this issue and may press for changes. State Sen. Karen Keiser, D-Des Moines, asked Monday whether the level of detailed data obtained by the auditor was “truly necessary.” On Tuesday, state Rep. Matt Boehnke, R-Kennewick, chimed in: “Why do we still continue to have full Social Security numbers in locations around state agencies when we can identify [people] by other means?”
McCarthy defended her investigation, saying her office regularly obtains massive amounts of documentation and data from state and local agencies it audits. “That’s what we do,” she said.
Cooper, the auditor’s spokesperson, said investigators needed the personal data to fully assess how ESD scrutinized unemployment claims for potential fraud before paying them.
Is it safe to file a new unemployment claim?
You should always be careful with personal data, but there has been no indication that ESD’s computer systems were hacked or compromised. The already-overwhelmed agency has requested that any calls about the data breach be directed to the state auditor.