State lawmakers grilled aides to state Auditor Pat McCarthy at a hearing Thursday, questioning the auditor's actions related to a massive data breach affecting 1.3 million Washingtonians.
The questions and criticism zeroed in on whether McCarthy's office should have disclosed the breach of a third-party file-hosting vendor sooner, and whether the auditor should have amassed so much personal data — including Social Security and bank-account numbers — that may now be in the hands of cybercriminals.
State Sen. Karen Keiser, who chaired the virtual hearing before the Senate Labor, Commerce and Tribal Affairs Committee, said she applauds the auditor's investigations into problems at the state Employment Security Department (ESD).
"But it seemed to me at the time last year that there was a real insistence for so much personal info from so many Washingtonians," said Keiser, D-Des Moines. "That's just so much information to handle ... did we make an overstep with that effort?"
Janel Roper, director of administrative services for the auditor, defended the data collection as necessary to evaluate how ESD was flagging suspicious unemployment claims. The agency is conducting several audits into how ESD lost hundreds of millions of dollars to unemployment fraud, and delayed payment of legitimate claims.
"Conducting this test required our auditors to obtain the files with all the claims," she said.
Other lawmakers did not appear satisfied with that explanation.
State Sen. Reuven Carlyle, D-Seattle, called the data demanded by the auditor from ESD "extremely expansive," covering everyone who filed an unemployment claim in 2020.
"Could you have taken a sample? Five, ten, twenty thousand people?" he said, pointing to cybersecurity experts who recommend governments and corporations work to minimize collection of sensitive data.
The data breach hit a digital file-transfer service offered by Accellion, a California tech firm, exposing data for dozens of other governments and companies in addition to the auditor's office.
Legislators on Thursday questioned why the late-December breach, which McCarthy's office says it learned about Jan. 12, was not publicly disclosed until Feb. 1.
"It just doesn't quite make sense to me," Keiser said.
Roper said the auditor's office "immediately" contacted Accellion after learning about the breach but didn't know the extent of what files were exposed until a week or so later.
She defended the auditor's disclosure timeline, saying it was quicker than private companies, including the Kroger grocery chain, which waited four weeks to reveal it had been hit by the Accellion breach.
Keiser cut Roper off. "I am really not interested in other [Accellion] clients," she said.
The auditor's office last week started sending email notifications to the 1.3 million people whose data was exposed in the breach. Those notices also include a year of free credit monitoring.
The agency has set up a call center to answer questions about the breach. Roper said, so far, the center has received just a few hundred calls.
Some lawmakers predicted public alarm will grow as more people get notified their personal data was put at risk.
"It may be because we haven't notified enough people to scare the daylights out of them," said state Sen. Curtis King, R-Yakima. "It seems like it's taken us a long time to set up notification to these individuals who could have their bank accounts drained."
For more information on the breach and on the state's response, visit www.sao.wa.gov/breach2021/