New WA data breach exposes personal info of 1.6 million people who applied for unemployment
The Washington State Auditor is reporting a December data breach that could have exposed the personal information of 1.6 million Washingtonians who had applied for unemployment benefits in 2020.
The breach was of a third-party server used by the auditor’s office, Accellion, and may also have exposed data from local governments and other state agencies.
People who filed for unemployment between Jan. 1 and Dec. 10, 2020, people whose identities were stolen in last year’s fraud attack, or state government employees may have had their information exposed.
“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens,” State Auditor Pat McCarthy said in a written release. “This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime.”
Washington state’s Employment Security Department was defrauded out of hundreds of millions of dollars last spring, impacting nearly 390,000 people whose stolen identities were used to fraudulently apply for unemployment benefits. In the months to follow, the department took criticism for weak internal controls and an out-of-commission automated process that was supposed to flag suspicious claims. The ESD was not responsible for this latest breach, though, says McCarthy.
“I want to be clear: This was an attack on a third-party service provider. The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident,” she emphasized.
McCarthy says they have used Accellion for 13 years and thought the security was trustworthy. Other recent attacks on Accellion resulted in data breaches at the Royal Bank of New Zealand and the Australian Securities and Investment Commission.
Law enforcement is investigating the breach.
McCarthy said the full scope of how this has affected people is still under investigation and their office has contacted every state agency that would be impacted, based on the files given by Accellion. She said those agencies already know who they are.
“We have not heard from anyone affected by it, but that doesn’t mean it hasn’t happened,” McCarthy said of claimants.
The auditor’s office has set up a website for people to learn more about the breach and plans to set up a hotline.
The KIRO Radio Newsdesk contributed to this report