Ransomware attack may have exposed information on over 16,000 workers, state says
Sensitive information on over 16,000 workers may have been exposed in a ransomware attack on a Renton market research company’s data system.
Pacific Market Research (PMR) “recently notified” the Washington state Department of Labor and Industries, one of its clients, about the May 22 attack, according to a Thursday L&I news release.
An unauthorized party accessed PMR’s network and encrypted their servers during the attack, affecting an L&I file with sensitive information, according to the release.
“PMR’s system contained one document that listed contact information, claim numbers and dates of birth for 16,466 workers who had workers’ compensation claims in 2019, which PMR had used to conduct a customer service survey on behalf of L&I,” the release says.
PMR notified L&I on June 4 and the department received additional information on June 9, said L&I spokesperson Rich Roesler in an email statement. However, the release says affected workers and their employers only just started being notified of the breach on Thursday — nearly a month after the first notification.
“It took the company some time to assess the scope of the incident and determine which documents were potentially at risk,” Roesler said. “Once notified, we worked as quickly as possible to arrange for the notifications and set up a call center to respond to detailed questions.”
L&I says the attack did not involve their own computer systems. For its part, PMR engaged an independent cybersecurity firm to investigate the incident, according to a statement from managing director Andrew Rosenkranz.
“The cybersecurity firm completed its independent investigation and found no evidence that any files on the Pacific Market Research network were accessed or removed from the network,” Rosenkranz wrote.
PMR says they usually encrypt all confidential client data, but the cybersecurity firm’s investigation found the L&I file had not been encrypted.
“Once this unencrypted file was identified, L&I was immediately notified of the incident,” Rosenkranz wrote. “After accessing the list to conduct the survey, we did not re-encrypt it. That was wholly our error and one for which we accept full responsibility.”
Although PMR believes the unauthorized party did not access or take the L&I file, it cannot be totally certain, according to the release.
“The document did not contain medical information, social security numbers, bank or credit card information or other personal information,” Rosenkranz wrote.
L&I and PMR are notifying the affected workers by mail and offering 12 months of free credit monitoring, according to the release. PMR says it is paying for the costs of the notifications and credit monitoring.
The document also included L&I account numbers for 9,400 employers, per the release. Although this information is already public, L&I says they are notifying the workers’ employers by mail.
Roesler said L&I has not been involved in PMR’s response to the ransomware attack. He said the department is focused on notifying the affected workers.
“We also plan to put our customer experience surveys on hold so we can fully review how our data is protected and whether we can resume these sorts of surveys while keeping customer data safe,” Roesler said.
PMR managed to restore their entire file server through their backup systems, according to Rosenkranz, and the incident has been reported to law enforcement.
“We know that malicious cyber-attacks like what we experienced are affecting businesses around the world and governments at all levels,” Rosenkranz wrote. “As a result of the incident, we’ve taken immediate action to harden our network, including implementing additional security measures.”
This story was originally published July 2, 2021 at 12:29 PM with the headline "Ransomware attack may have exposed information on over 16,000 workers, state says."
