The Office of the Washington State Auditor’s (SAO) announced that one of its service providers, Accellion, had suffered a data breach in December 2020. Accellion did not notify SAO about the breach until January 25th, according to a government official. While this breach’s scope is still being investigated, it is estimated that 1.6 million unemployment claims were exposed due to the breach. The impacted information includes Social Security Numbers (SSNs) and/or driver’s license number, bank account and routing numbers, and place of employment. According to BleepingComputer, the cause of the breach was an exploited zero-day vulnerability in Accellion’s File Transfer Agent (FTA) solution in mid-December, and a patch was deployed soon thereafter.
With organizations needing third-party services such as Accellion to provide file hosting services, it’s essential to consider where encryption fits into the flow of data. It is common to see data-in-transit utilizing encryption, however making sure data at rest is encrypted can reduce the risk that data – even if it is exposed – will be used for fraud. Along that same lines, protecting the keys to this encrypted data is equally as important. While this is common practice for many organizations, which have to fulfill this requirement for compliance reasons, protecting sensitive information found in forms such as unemployment claims should be a top priority to protect employees and clients. At an individual level, applying credit freezes can be a simple way to protect oneself from many kinds of fraud. Applying for an IRS identity protection PIN can also head off income tax fraud attempts. Based on recent trends, it is possible that threat actors will use the stolen personal information to fraudulently file for unemployment in other states and file for income tax refunds.
Data breach exposes 1.6 million Washington unemployment claims (bleepingcomputer.com)
About the Accellion data security breach – Office of the Washington State Auditor