Washington auditor’s office warned agencies of data-breach risks. Then it got hacked

Washington auditor’s office warned agencies of data-breach risks. Then it got hacked

Posted February 15, 2021

Washington auditor’s office warned agencies of data-breach risks. Then it got hacked

  • On Christmas Eve last year, Washington State Auditor Pat McCarthy’s office issued a dire warning that state agency computer systems and data make “attractive targets for cyberattacks.”
  • The next day, Christmas, unknown actors compromised the auditor’s own computer files, exposing a vast trove of private information in what may be the largest-ever cyberbreach for a Washington state agency.
  • The data included driver’s license, Social Security and bank account numbers of more than 1.4 million unemployment claimants. It also included audit data involving 25 state agencies and 100 local governments, including the city of Seattle, as well as adoption files of 30 children and their families.
  • The auditor relied on two-decade-old technology to store and transmit sensitive data — and some questioned whether the auditor needed to amass so much detailed personal information in the first place.
  • “Given the nature of the data and the risk of harm, certainly there should have been heightened security and heightened care given to this type of data transfer,” said Emory Roane, policy counsel for the California-based nonprofit Privacy Rights Clearinghouse.
  • In revealing the breach, McCarthy (Auditor) repeatedly pointed blame at Accellion, the California tech firm whose aging digital file-sharing service, known as FTA, the auditor’s office had relied on for more than a decade.
  • Accellion said it had been encouraging customers to upgrade to its newer, more secure software.
  • The nearly 20-year-old product was still in use by “hundreds of organizations in the finance, government and insurance sectors,” making it “a juicy target” for cybercriminals.

– Jim Brunner and Paul Roberts | February 15, 2021