Security Experts:

Connect with us

Hi, what are you looking for?



Over 1 Million Impacted by Data Breach at Washington State Auditor

The Office of the Washington State Auditor (SAO) has disclosed a cybersecurity incident in which the personal information of more than 1 million individuals might have been stolen.

The Office of the Washington State Auditor (SAO) has disclosed a cybersecurity incident in which the personal information of more than 1 million individuals might have been stolen.

At the heart of the incident, SAO says, was Accellion software used for file transfers. Hackers exploited a security flaw in the file sharing service and gained access to restricted files.

Called FTA (File Transfer Application), Accellion’s service in mid-December received a patch for a critical vulnerability impacting less than 50 customers. The fix was sent to all affected organizations.

Despite that, the vulnerable service has been exploited by hackers to breach the systems of other Accellion customers as well, namely the Reserve Bank of New Zealand and the Australian Securities and Investments Commission (ASIC).

In its breach notification this week, SAO revealed that some of the files that were compromised in the incident contained “personal information of Washington state residents who filed unemployment insurance claims in 2020.”

Other Washington residents might have been affected as well, as their information was in state agency or local government files that SAO was reviewing.

While SAO did not provide details on the number of impacted users, the Employment Security Department (ESD) issued an alert on the incident, revealing that more than one million individuals might have been affected.

The affected data can include names, bank account numbers, bank routing numbers, social security numbers, driver’s license/state identification numbers, and places of employment.

When “other information from state agencies and local governments” is added, the figure rises to approximately 1.6 million unemployment claims that might have been affected in the incident, ESD says.

SAO also said that the intrusion happened in late December 2020, but that Accellion only confirmed the incident on January 25, 2021.

As part of the investigation launched into the matter, SAO attempted to identify which files from state agencies and local governments were affected, as well as the individuals who might have had their personal information stolen.

Related: Clothing Brand Bonobos Notifies Users of Data Breach

Related: Kawasaki Says Data Possibly Stolen in Security Breach

Related: Private Prison Operator GEO Group Discloses Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.