The personal information of more than a quarter million licensed professionals may have been exposed in a breach of a Washington state Department of Licensing database, agency officials said Friday.
The agency, which licenses around 40 categories of businesses and professionals — everything from auctioneers and private detectives to tattoo artists and real estate agents — said it temporarily shut down its online licensing system, known as POLARIS, early last week after learning of “suspicious activity involving professional and occupational license data,” according to a spokesperson and a statement posted Thursday on the agency’s website.
Data stored on POLARIS “may include Social Security numbers, dates of birth, driver license numbers and other personally identifying information,” but the agency doesn’t yet know whether such data was actually accessed or how many individuals may have been affected, agency spokesperson Christine Anthony said in a statement Friday.
There was also “no indication” that the incident had affected other agency data, “such as driver and vehicle licensing information,” agency officials said, adding that all other Department of Licensing systems were operating normally.
Anthony said the agency has been working with the state Office of Cybersecurity “to fully understand the extent of the incident and take all other appropriate action” and “will release more information when we know more.”
In particular, investigators have yet to determine whether personal data was actually removed by hackers or was merely exposed, said state Sen. Reuven Carlyle, D-Seattle, chair of the environment, energy & technology committee, who was briefed by the agency earlier this week.
The investigation will determine “whether data was accessible and whether it was accessed and if it was, what the scale of that was,” Carlyle said. Until then, he said, “we just don’t have an answer on that.”
In the meantime, the shutdown of the POLARIS system is causing problems for some professionals and firms that need to apply for, renew or modify their licensing.
The disruption comes at a busy time for real estate agents, appraisers and home inspectors as the state’s real estate market begins to pick up after its typical winter slowdown.
None of the state’s roughly 3,000 property appraisers have been able to review their licenses and apprentices cannot apply for testing, said Bob Mossuto Jr., a certified appraiser and current president of the Appraisers’ Coalition of Washington. (though he was speaking only on his own behalf).
Appraisers also cannot verify whether an appraisal management company is licensed in the state to ensure they don’t appraise for unlicensed companies, Mossuto said.
Steve Francks, CEO of Washington Realtors, said his members know the department is trying to “fix this problem and restore online services” as quickly as possible, but added that there is “frustration with the lack of communication … regarding a firm plan to fix those issues.”
“It’s frustrating that they didn’t notify prospective victims sooner,” a Seattle Times reader noted, adding that the POLARIS system appeared to be “under maintenance for more than a week before they sent out an email yesterday about the potential breach.”
Security officials reportedly sounded the alarm of a possible breach after detecting “chatter” about the Department of Licensing on the “dark web,” Carlyle said, referring to part of the online world where users can mask their identities with special technology and where personal data stolen in data breaches is bought and sold.
Criminals often use stolen personal data to commit imposter fraud — by, for example, filing false tax returns or applying for unemployment benefits, as happened in Washington in 2020.
Out of “an abundance of caution [the Department of Licensing] shut down access to the [POLARIS] system once they picked up signals on the dark web,” Carlyle said Friday. Anyone trying to access POLARIS received a notification that it was temporarily unavailable.
The size of the breach is still unclear. Data from 23 professions and companies licensed by the state are processed via POLARIS, Anthony said.
Within those 23 categories, which also include bail bonds agents, funeral directors, home inspectors and notaries, the agency has around 257,000 active licenses in its system, Anthony said, adding that “there are likely more records that may be identified while conducting our investigation.”
But how many of those licensees were affected hasn’t been determined, Anthony said.
Investigators are also still trying to determine the location of the breach — whether it was an internal problem at the Department of Licensing, for example, or with a vendor or other third party, Carlyle said.
“They’re not ready to make a conclusion regarding where in the ‘ecosystem’ there was a weakness,” Carlyle said.
In December 2020, a software vendor used by the state Auditor’s Office suffered a data breach that likely led to files being accessed by “an unauthorized user,” the auditor said.
On Friday, the Department of Licensing opened a call center to handle questions about the incident — 855-568-2052 — but the agency said the center would be a limited capacity until Monday.
