WA Auditor’s Office: No information ‘misused’ so far in Accellion breach
Following December’s data breach of Accellion, the company used by the State Auditor’s Office to transfer files with the Employment Security Department, the Auditor’s Office announced that so far, no Washingtonians’ private accounts appear to have been hacked as a result.
The breach potentially exposed the personal data of 1.6 million Washington residents who filed for unemployment last year, as well as state government employees.
“We are not aware of anything that is tied to this breach, as far as information that was misused,” said Janel Roper, director of Administrative Services at the State Auditor’s Office, in a briefing to legislators on Tuesday.
Roper noted that Accellion had never had an incident before this, but now that it has happened, they are looking for a new company to use instead.
“We’re currently in the process to see how we can stand up a replacement for Accellion — a different file transfer system so that we can make sure that we’re doing our best to keep any data that we have as secure as possible,” Roper said.
In the months since the breach, the Auditor’s Office has notified everyone whose data may have been breached via email, offered them free credit monitoring, and set up a free phone line for any questions they may have.
Accellion found itself at the center of multiple lawsuits after the breach. Roper said that the Auditor’s Office is not currently a plaintiff, but also is not ruling it out.
“It doesn’t mean it won’t happen, but right now we are not part of a lawsuit against Accellion,” Roper said.
In the meantime, bills passed in the Legislature this year have attempted to reduce the likelihood of further data breaches.
Senate Bill 5432 sets up a Cybersecurity Office that will work with state agencies to prevent data breaches and mitigate the impacts as soon as possible after one occurs.
Additionally, House Bill 1455 will stop the Employment Security Department and the Department of Labor and Industries from using people’s full social security numbers in written communications with non-governmental third parties, apart from financial transactions, secure or encrypted messages, or cases in which the full number is required by law.