What did they know and when did they know it?

In the short term, those are probably not the most pressing questions about the massive data breach in which sensitive personal information of 1.4 million Washingtonians who had sought unemployment benefits was exposed to hackers.

People need to know if they’re vulnerable and what they should be doing to protect themselves.

But there are clearly questions that need to be answered.

First, the bullet-point background:

  • For several months, the state Auditor’s Office has been investigating how the state Employment Security Department lost $600 million to fraudulent jobless claims last year. According to an Auditor’s Office spokesperson, investigators sought the claimants’ personal data so they could fully access how ESD examined jobless claims for potential fraud before it issued checks.

Sounds pretty straightforward so far. ESD wasn’t the only agency nationwide to fall victim to fraud during the pandemic-driven spike in unemployment. And the Auditor’s Office was doing its job.

  • However, in December the file-transfer program used by the Auditor’s Office suffered a “vulnerability” that allowed unauthorized access to jobless claimants’ data, including Social Security numbers, bank account information and driver’s license numbers.
  • Federal agencies, the state Attorney General’s Office and other cybersecurity officials are investigating, but for now nobody knows who has the stolen data. Meanwhile, the threat of identity theft hovers over hundreds of thousands of state residents through no fault of their own. Pouring lemon juice into the open cut: Even those who fell victim to fraudulent jobless claims last year are among those whose data was exposed.

Are you affected? If you sought jobless claims in 2020, probably.

If so, what should you do? The Auditor’s Office offers information and updates at https://sao.wa.gov/breach2021. Among its recommendations: Get a free credit report from https://www.annualcreditreport.com; consider placing a fraud alert on your credit report; examine your bank accounts carefully; and report any suspected identity theft to the state Attorney General’s Office, law enforcement or the Federal Trade Commission’s IdentityTheft.gov website.

The Auditor’s Office is developing a plan to notify all affected Washingtonians, but there are few details and no dates have been set.

Meanwhile, there’s the blame game.

The Auditor’s Office website points out that the breach was not an attack on either its agency or ESD. Accellion, the California company that provided FTA, the file-transfer service used by the Auditor’s Office, admits FTA was the target of a sophisticated cyberattack in December and that all customers were promptly notified of the breach.

But Accellion also says it’s no secret that FTA, introduced 20 years ago, was at the end of its shelf life and that for three years it has been encouraging FTA customers to migrate to a program called kiteworks, described as “our modern and more secure platform.” (The italics are ours.) An Accellion official noted that the Auditor’s Office was in the process of shifting to the new program at the time of the breach.

Said State Auditor Pat McCarthy: “We had no indication, no indication that this product was not secure.”

Accellion also claims on its website that “All FTA customers were promptly notified of the attack on Dec. 23, 2020.” However, the Auditor’s Office website says Accellion announced the breach in January.

The story is still unfolding, and we can expect more questions to surface in the days and weeks ahead. On Tuesday, a Seattle law firm filed a lawsuit against Accellion on behalf of a Seattle man who filed a jobless claim last year. The suit is seeking class-action status.

However this latest pandemic-related black eye unfolds, it is paramount that the state agencies involved be completely transparent with investigators, each other and the residents of Washington — including thousands in the Yakima Valley — as to facts, dates, numbers and any other details that shed light on this incident.

What did they know and when did they know it?