Washington Auditor's Office Warned Agencies of Data-Breach Risks, Then It Got Hacked


On Christmas Eve last year, Washington State Auditor Pat McCarthy's office issued a dire warning that state agency computer systems and data make "attractive targets for cyberattacks."

The admonition, in a 26-page cybersecurity audit report titled Continuing Opportunities to Improve State IT Security, noted agencies collect "vast amounts of confidential data" from the public.

It recommended fixes for "vulnerabilities" at five unnamed state agencies, cautioning — presciently, as it turned out — that a sensitive-data breach would bring a "loss of public confidence" as well as "considerable tangible costs."

The next day, Christmas, unknown actors compromised the auditor's own computer files, exposing a vast trove of private information in what may be the largest-ever cyberbreach for a Washington state agency.

The data included driver's license, Social Security and bank account numbers of more than 1.4 million unemployment claimants. It also included audit data involving 25 state agencies and 100 local governments, including the city of Seattle, as well as adoption files of 30 children and their families.

The Christmas Day breach has created massive problems for the agency and frustration and anger for those whose data was stolen. Many say they learned of the breach only through media accounts and are frustrated by the lack of information from the auditor.

The breach has also highlighted concerns about the use of outside vendors for sensitive data and raised questions about the speed of the auditor's response.

McCarthy's office says it learned of the "security incident" on Jan. 12, but it did not disclose its scope until Feb. 1. In revealing the breach, McCarthy repeatedly pointed blame at Accellion, the California tech firm whose aging digital file-sharing service, known as FTA, the auditor's office had relied on for more than a decade.

But McCarthy's office also is culpable, cybersecurity experts told The Seattle Times. They criticized the auditor's reliance on two-decade-old technology to store and transmit sensitive data — and some questioned whether the auditor needed to amass so much detailed personal information in the first place.

"Given the nature of the data and the risk of harm, certainly there should have been heightened security and heightened care given to this type of data transfer," said Emory Roane, policy counsel for the California-based nonprofit Privacy Rights Clearinghouse.

Roane called the breakdown "frustrating and annoying" but "not surprising in the least," adding: "There are a terrifying number of agencies that are using old software."

Ironically, the auditor's office had collected that claims data while auditing the state Employment Security Department over last year's $600 million fraud scheme. That creates potential new headaches for an unfortunate group of Washingtonians, who had a fraudulent claim taken out in their name, and now have had their personal information exposed again.

Wendy Whitaker is among them.

The Kent resident was laid off in June from her Boeing contractor job and tried to file for unemployment — only to find that a fraudulent unemployment claim was taken out in her name last spring.

Whitaker is still waiting to receive unemployment payments (she has since found work), and is taking steps to protect her credit. She was surprised the auditor's office hadn't contacted her or set up a third-party credit protection. "You would think they would have some sort of plan for us," Whitaker said. "That just amazes me."

Kathleen Cooper, a spokesperson for the auditor's office, said the agency "will directly notify people who have been affected," and is providing 12 months of credit monitoring free of charge, through Experian.

The agency is also setting up a call center, Cooper said, adding that the agency has "no evidence at this time that any of the data has been misused."

Jamila Thomas, chief of staff to Gov. Jay Inslee, said in an email to state employees last week such notification is expected "before the end of February." Thomas noted that "tens of thousands" of state employees are among the people whose data was compromised.

Accellion under fire

The timeline of the Accellion breach and notifications have been a point of contention between the company and the auditor. Accellion said in a statement it notified "all FTA customers" on Dec. 23. But McCarthy's office says it wasn't told until mid-January, and learned over the next few weeks about the extent of the breach.

Accellion said it had been encouraging customers to upgrade to its newer, more secure software.

But McCarthy, a Democrat elected to her second term in November, said earlier this month her office "believed that we were getting a secure system and we expected that — and the citizens of Washington state should expect that as well." Her office paid Accellion $17,000 a year for FTA.

Accellion has come under increasing fire for the breach of its FTA system, as more public and private organizations have revealed their files were exposed. The data breach may have affected 300 Accellion customers, ranging from a bank in New Zealand to a Singapore telecommunications firm, to the University of Colorado, according to the technology site Gizmodo.

The company should have retired its aging FTA product sooner, wrote Jeremy Kirk, managing editor at Information Security Media Group, in an analysis at BankInfoSecurity.com.

The nearly 20-year-old product was still in use by "hundreds of organizations in the finance, government and insurance sectors," making it "a juicy target" for cybercriminals, Kirk wrote. The company has announced FTA will be retired in April.

Accellion initially downplayed the consequences of the vulnerability in its FTA system. It didn't respond to questions for this story, but in a Jan. 12 statement, the company said it had been made aware in mid-December of the problem and released a patch to 50 affected customers within 72 hours "with minimal impact."

The fiasco could lead to a cascading set of legal, financial and logistical repercussions for the auditor, Accellion and the million-plus people who now have to worry about identity theft and other crimes. Two class-action lawsuits already have been filed in King County Superior Court.

Past breaches of government data have been costly. In 2013, a hack of an Arizona community college district's databases — with more than two million records, including banking and Social Security numbers, being offered for sale online — led to a payout of nearly $26 million. In 2019, Washington State University agreed to pay $4.7 million when a hard drive containing personal information of more than a million people was stolen from a self-storage locker.

The identities of those who accessed the auditor's data have not been disclosed. Federal and state investigations are ongoing.

Several Washington financial institutions said they've seen an uptick in calls from customers worried about the data breach. For several days after the breach was first reported, the Washington State Employees Credit Union's call center received around 1,100 calls a day from worried members, said spokesperson Ann Flannigan.

WSECU stepped up security measures, including extra scrutiny of withdrawals, but the bigger risks for individuals may come later.

Frequently when criminals get "tons and tons of data," Flannigan said, they'll sit on it for months in the hopes that media stories and consumer attention will fade. "And then down the line is when the fraud potentially starts to occur."

Stolen personal data often is sold on the dark web or by data brokers, experts said. Cybercriminals can use it to defraud people or demand ransom — or use it to launch additional hacking schemes. "Sometimes we see chains of attacks," said Inga Goddijn, executive vice president with the Virginia-based cybersecurity firm Risk Based Security.

While the auditor's office has emphasized Accellion's culpability, Goddijn said "every organization has an obligation to understand the security posture of the vendors that they rely on, especially when it comes to those who handle sensitive or personal information."

In an era where cybercrime is an ever-present and well-publicized threat, governments and companies alike should reconsider how much sensitive data to collect and store, said David Kohlbrenner, an assistant professor in the Paul G. Allen School of Computer Science and Engineering at the University of Washington.

"If you can avoid having a piece of sensitive data that you don't need — don't have it. You can't lose something you don't have," Kohlbrenner said.

Mike Hamilton, former chief information security officer for the city of Seattle, said an underappreciated potential impact of the breach could be its effects on the hundred-plus state and local agencies whose audit-related files were compromised.

Depending on what was taken, Hamilton said, the files could give hackers knowledge of companies doing business with governments, lending themselves to business email compromise scams.

"I think the state has got some reputation repairing to do with all these governments," said Hamilton, now chief information security officer for the Seattle firm CI Security.

There are already indications of new tensions.

Ross Hunter, secretary of the state Department of Children, Youth and Families, said his staff called all 30 families whose adoption files were exposed in the breach.

"It's deeply personal information. ... We're concerned about it. I am upset that this got released," said Hunter, a former Microsoft manager.

The adoption-file samples had been gathered as part of a routine audit. Hunter said he supports the work of an independent state auditor, but his department will look carefully at how data is shared with McCarthy's office going forward.

"We clearly are not using this product that the auditor would like us to use. We will negotiate a way for the auditor to have access to our files," he said.

The city of Seattle is among the local governments that had audit-related information exposed. But city spokesperson Anthony Derrick said in an email Friday, "To my knowledge, no information was included in the data breach that isn't already publicly available."

History of cyber attacks

Lawmakers of both parties say the auditor's fiasco is a bad look for state government, which has already had a history of problems with IT management in addition to the massive unemployment fraud, which led to the audit, and indirectly to the data breach.

Since 2016, nine state or local governments have reported data breaches, and many have reported cyber-related incidents, including frauds, according to the auditor's Dec. 24 report. In September, state agencies were attacked by a coordinated phishing campaign.

"Our state agencies are frankly getting lazy on cybersecurity. There are so many tools in our encrypted security toolbox they could have used," said Rep. Matt Boehnke, R-Kennewick, who directs the cybersecurity degree program at Columbia Basin College.

State Sen. Reuven Carlyle, D-Seattle, who is sponsoring legislation to centralize state cybersecurity practices, said the auditor's office must take responsibility to "fiercely deconstruct" what happened and ensure the mistake is never repeated. "In this situation nobody gets to point fingers outward," he said.

Whitaker, the Kent resident, said she wants to see the auditor make amends.

"I get that data breaches can happen. But everybody pretends as though, 'Oh, we couldn't let that happen!' Oh, yes you could and if you do, you need to do something about it," she said. "That's what makes me mad."