On Monday, The Washington State Auditor Office disclosed that it had suffered a data breach that exposed the personal information of some 1.4 million employment claimants.
It appears that the records became exposed in December, following a data breach of Accellion, a software provider used by the State Auditor Office for the transfer of large computer files. The Washington State Auditor Office only became aware of the breach’s effect on their files on January 25.
The data exposed included names, social security numbers, driver’s license or state identification numbers, bank account numbers, routing numbers, and more.
Additionally, the breach exposed files from Washington local governments and other state agencies.
We spoke to several cybersecurity experts to get their take on the news.
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre)
“Compromises come in many forms where the attacker defines the rules of their attack. In this case, the nature of the data is particularly worrisome as it could be used in future crimes. While an offer of free credit report might help alleviate some of the fallout from the attack, that the information being transferred contained banking information in addition to employment details and social security numbers could allow for a highly targeted phishing attack. Washington residents should be particularly wary of anyone directly and proactively contacting them about an unemployment claim via email or phone. Given the nature of the stolen data, it becomes that much easier to trick someone into thinking such proactive outreach is legitimate.
“From a cybersecurity perspective, this attack highlights that proper security isn’t simply a matter of protecting servers with firewalls and desktops with anti-malware. Attackers will find a weak link and if transferred data is in a consumable format, such as in plain text, then the damage from a compromise is that much greater. This is a perfect example of where threat models play a role. A forensic analysis will seek to determine key questions like who verified whether the file transfer service setup by Accellion was patched and who determined the file format used for the transfer? Threat models seek to perform a forensic analysis before the incident occurs in order to prevent the need for an incident response.”
“Accellion is a widely-trusted cybersecurity company used by several big organizations in the public and private sector. Although Accellion claims the auditor’s office used a legacy product and that it encouraged an upgrade, the report doesn’t state whether that legacy product had reached end-of-life status. If Accellion still officially supported the product, then it should not try to shift blame. If the product has reached end of life, then the auditor’s office shoulders the responsibility for not moving on to a supported product.
“The most pressing question right now is who else uses the same legacy product? Are they all vulnerable to attack? This breach could have serious ramifications for a number of big, important organizations that hold sensitive data. The consequences of this breach alone could have long-term financial impact on 1.4 million victims.”
“Unfortunately, one of the side-effects of the COVID-19 pandemic has been a huge increase in unemployment claims in the United States and other countries. While it is unknown how many other states and countries may use the affected version of the Accellion file transfer system, it stands to reason that other states and regions may be hit by similar attacks if they do not take immediate action to update their systems.
“While it is not unusual for government agencies to use outdated systems due to budgetary constraints, using a 20-year-old legacy system like the one that was breached is inexcusable. At the very least, available software packages that are intended to fix the vulnerability should have been put in place. Updating to Accellion’s newer package after the breach took place is another example of closing the barn door after the horse has bolted.
“As for the 1.4 million Washington state unemployment claimants who have had their names, social security numbers and/or driver’s license or state identification number, bank information, and place of employment information exposed, this opens them up to further intrusion into their private information. The bad actors of the world will likely use the information acquired in the hack to attempt to learn more about the victims’. Washington state unemployment users will need to be on the alert for phishing emails, snail mails, texts, and phone calls, all designed to extract more personal information from unwitting victims. Victims will also want to keep a close eye on their credit, using credit reports, credit alerts, and perhaps credit monitoring services.”
“This is a great example of the need for organisations build a comprehensive Trust and Security program focusing on people, processes and technology controls to protect data processed and stored, whether it’s within their own organisation or with a third party. This breach emphasizes the importance of “Security First” culture within organisations who must stay on top of the latest threats. Security must be seen as a business enabler. The State of Washington appears to be taking the right steps in presenting an incident response process and alerting affected citizens.”
“Organizations should be looking for clear communications and a good partnership with providers like Accellion. The report indicates that Accellion had been in the process for years trying to get customers to upgrade from the legacy application in question to a more modern version. Any organization that receives such advice from an application provider or vendor should heed the recommendation and work with the provider to close security holes through upgraded software. Perhaps Accellion wasn’t being persuasive enough? On top of that, organizations should be actively working with providers to discuss how strong the built-in security mechanisms are and perhaps performing an audit of existing security configurations to determine deficiencies and mitigation plans to tighten up security. Again, maintaining the security and privacy of individuals’ PII means that organizations must proactively assess their security posture, discover and eliminate potential risks, and of course move beyond purely perimeter- or password-based security to more data-centric means of protecting sensitive data.
“Again, clear communications and a great working relationship with any application provider should help ensure that you are not using software with known (or unpatched) vulnerabilities or security deficiencies. Any organization should be proactively assessing their enterprise software regularly, making sure that any upgrades or patches are applied in a timely fashion and also investigating any release notes to understand what features are being implemented or bugs are being fixed. Working with the provider when questions arise is the best course of action. A lot of other resources on the Internet are available to understand what’s happening with any common application, but nothing beats hearing it from the vendor’s mouth.
“I think that most companies want to believe that they are being proactive, and I also think that incidents like this give many of them pause (and some night sweats, too). However, so many things are going on in the modern enterprise—across the company as well as in IT—that moving from thinking to action is sometimes very difficult, especially where increased spending is concerned. Organizations need to put an absolute priority on data security, especially if they are working with their customers’ sensitive PII. Breaches and attacks can be very costly not only in fines and sanctions from regulators (if they get involved) but also from legal expenses, increased operational costs, and of course any hits to brand reputation. Companies have all the incentive to keep data security their number one top priority, regardless of which incident or breach happens to be in the news at the present moment. If you’re waiting for another high-profile data breach or leak to urge you into action, then you’re probably not being anywhere near as proactive as you should be.”
“Cybercriminals typically break in by exploiting vulnerabilities or taking advantage of misconfigurations. In this instance a vulnerability existed that was overlooked. We all want to trust that our cybersecurity teams are doing the best they can to keep attackers out. I believe in what Reagan once said “trust, but verify”. It’s much better, and less costly, to have a trusted ally validate your security than wait until it’s validated or invalidated by an attacker.”