News Insights: Personal data of 1.4 million Washington unemployment claimants exposed in hack of state auditor

Cybersecurity and privacy experts commented this afternoon on news that a data breach in Washington State has exposed the personal information of more than 1.6 million residents who applied for unemployment. The breach is being blamed on outdated software used by third party service provider Accellion.

Official statement: https://sao.wa.gov/breach2021/

News Insights

Purandar Das, CEO and Co-Founder of Sotero Software:

“Data sharing, by organizations, is one of the key areas of vulnerability. This activity is an area that will targeted more and more by hackers. Organizations have relied on “secure data transfer”, meaning the data is protected in transmission, as being sufficient. This is no longer true. Even if the data is secure during transmission the underlying data is in clear text. True and complete data protection has to be built from the ground up. Regardless that the data is being transmitted over a secure channel, data security must start at the source. Meaning the data should be protected (encrypted) all the time, even in use. This is a huge part of protecting data and information. Credit card companies discovered this a long time ago. Hence the reason why credit card information is never transmitted to the retailer. The card companies encrypt it and don’t transmit or share the information., Unfortunately the same mechanism does not work for everyone. The transmitted data needs to be available for use and analysis. Adopting newer technologies that enable the use of encrypted data by the proper parties coupled with multi party key ownership for authentication is one way to eliminate data loss during transmission.”

Chris Hauk, consumer privacy champion, Pixel Privacy:

“Unfortunately, one of the side-effects of the COVID-19 pandemic has been a huge increase in unemployment claims in the United States and other countries. While it is unknown how many other states and countries may use the affected version of the Accellion file transfer system, it stands to reason that other states and regions may be hit by similar attacks if they do not take immediate action to update their systems.

While it is not unusual for government agencies to use outdated systems due to budgetary constraints, using a 20-year-old legacy system like the one that was breached is inexcusable. At the very least, available software packages that are intended to fix the vulnerability should have been put in place. Updating to Accellion’s newer package after the breach took place is another example of closing the barn door after the horse has bolted.

As for the 1.4 million Washington state unemployment claimants who have had their names, social security numbers and/or driver’s license or state identification number, bank information, and place of employment information exposed, this opens them up to further intrusion into their private information. The bad actors of the world will likely use the information acquired in the hack to attempt to learn more about the victims’. Washington state unemployment users will need to be on the alert for phishing emails, snail mails, texts, and phone calls, all designed to extract more personal information from unwitting victims. Victims will also want to keep a close eye on their credit, using credit reports, credit alerts, and perhaps credit monitoring services.”

Paul Bischoff, privacy advocate with Comparitech:

“Accellion is a widely-trusted cybersecurity company used by several big organizations in the public and private sector. Although Accellion claims the auditor’s office used a legacy product and that it encouraged an upgrade, the report doesn’t state whether that legacy product had reached end-of-life status. If Accellion still officially supported the product, then it should not try to shift blame. If the product has reached end of life, then the auditor’s office shoulders the responsibility for not moving on to a supported product. The most pressing question right now is who else uses the same legacy product? Are they all vulnerable to attack? This breach could have serious ramifications for a number of big, important organizations that hold sensitive data. The consequences of this breach alone could have long-term financial impact on 1.4 million victims.”

Niamh Muldoon, global data protection officer at OneLogin:

“This is a great example of the need for organizations build a comprehensive Trust and Security program focusing on people, processes and technology controls to protect data processed and stored, whether it’s within their own organization or with a third party. This breach empathizes the importance of “Security First” culture within organizations who must stay on top of the latest threats. Security must be seen as a business enabler. The State of Washington appears to be taking the right steps in presenting an incident response process and alerting affected citizens.”

Trevor Morgan, product manager at comforte AG:

“The very disappointing news that the highly sensitive personal data of 1.6 million unemployed filers in Washington State was exposed underscores just how important data-centric security is. Unlike perimeter security methods, which strengthen the boundaries around data, data-centric security such as tokenization protects the data itself, obfuscating it so that it becomes for all intents and purposes unintelligible. This means that if it falls into the wrong hands, threat actors cannot use it or leverage it for their personal gain—the meaning behind the data remains hidden. Had the caretakers of this data implemented data-centric security, then the privacy of over 1.6 million Washington State citizens would have been maintained and protected.”