Auditor’s Office contractor was using 20-year-old software when security breach occurred
Washington State Auditor Pat McCarthy said at a virtual press conference Monday she had no indication that a third-party file-transfer software used by her office wasn’t secure.
Her office is still working on understanding the timeline and scope of the security breach involving Accellion, and it also is being investigated by state and federal law enforcement.
“I can assure you if there was any indication at my level that Accellion wasn’t providing secure file-transfer service, then we would’ve done something about it,” she said. “But that is not the case here.”
An initial press release said the incident involved personal information from about 1.6 million people who filed unemployment claims last year. However, an updated, more nuanced estimate is that personal information — such as names, Social Security numbers, and banking numbers — from 1.6 million unemployment claims was made vulnerable.
The number of people affected by that would be “well over a million,” said spokesperson Kathleen Cooper at the virtual press conference.
The Auditor’s Office believes a smaller group of people with personal data held by the Department of Children, Youth and Families also are affected, as well as “non-personal financial and other data” from about 100 local governments and about 25 state agencies.
The data was collected as part of an audit of fraud that occurred in the state’s Employment Security Department in early 2020. Auditors doing the performance and systems audit needed the information “to accurately determine what transpired,” McCarthy said.
“I can’t get into the specifics of it, but it was doing the work of auditing the issue that happened with the fraud,” McCarthy said. “I mean, it is ironic that this would happen. But that is really the situation.”
The software targeted by a cyberattack was “Accellion FTA,” according to a statement from the company, a 20-year-old product “nearing end-of life.” The company has been encouraging its customers to migrate to its newer platform for three years, the statement reads.
The Auditor’s Office had decided to transition to that newer platform in late summer 2020, according to Cooper, and the process began around that time. But the transition was not complete until Dec. 31.
“We paid for, we expected, and we deserve to have a secure system,” McCarthy said Monday. “We believed that Accellion was providing a secure file-transfer product for the state of Washington. This incident is being investigated by law enforcement.”
The company’s statement says all customers were notified of the attack Dec. 23; however, Auditor McCarthy has said her office wasn’t notified until Jan. 12.
McCarthy provided the following timeline of when her office received information from Accellion: The company sent a pro forma letter on Jan. 12 saying there had been a security incident, and on Jan. 13 let the office know it was part of the incident. The office did not know until the following week that it included files from the Employment Security Department. McCarthy said.
Cooper said it was only last week that the office “understood the nature of the data” made vulnerable from ESD, which required a scaled-up response.
At every point, McCarthy said, the office contacted the appropriate parties, such as the Attorney General’s Office. All state agencies and local governments that are so far known to be part of breach have been contacted, according to McCarthy.
“I want to be clear that we are providing estimates on our figures, we are reviewing files and the incident,” McCarthy said. “I also want to be clear that the Employment Security Department did nothing to cause this. This was an attack on a third-party service provider.”
The Auditor’s webpage with information on the breach is a “starting place” for people to find information, Cooper said.
The office won’t be notifying individuals directly, according to Cooper, but a company will do that on the department’s behalf. There ultimately will be a call center that can answer people’s questions regarding the breach, she said, and she thinks there will be written notification.
McCarthy said leadership and staff from all caucuses of the state Legislature were informed of the situation Monday morning. Leaders spoke of that meeting at a press availability.
“Certainly, as a Legislature, we’re going to do everything in our power to make sure that any lessons that are learned, we can implement a better way of moving forward,” said Rep. Pat Sullivan, House Democratic Caucus Majority Leader.
“At this point, we just don’t have all the information to really know exactly how much data was breached and how we move forward. But we’ll be working with the Auditor’s Office in how we address these concerns and move on from there.”
This story was originally published February 1, 2021 at 6:15 PM with the headline "Auditor’s Office contractor was using 20-year-old software when security breach occurred."
.jpg)