The Office of the Washington State Auditor (SAO) has disclosed a cybersecurity incident in which the personal information of more than 1 million individuals might have been stolen.
At the heart of the incident, SAO says, was Accellion software used for file transfers. Hackers exploited a security flaw in the file sharing service and gained access to restricted files.
Called FTA (File Transfer Application), Accellion’s service in mid-December received a patch for a critical vulnerability impacting less than 50 customers. The fix was sent to all affected organizations.
Despite that, the vulnerable service has been exploited by hackers to breach the systems of other Accellion customers as well, namely the Reserve Bank of New Zealand and the Australian Securities and Investments Commission (ASIC).
In its breach notification this week, SAO revealed that some of the files that were compromised in the incident contained “personal information of Washington state residents who filed unemployment insurance claims in 2020.”
Other Washington residents might have been affected as well, as their information was in state agency or local government files that SAO was reviewing.
While SAO did not provide details on the number of impacted users, the Employment Security Department (ESD) issued an alert on the incident, revealing that more than one million individuals might have been affected.
The affected data can include names, bank account numbers, bank routing numbers, social security numbers, driver’s license/state identification numbers, and places of employment.
When “other information from state agencies and local governments” is added, the figure rises to approximately 1.6 million unemployment claims that might have been affected in the incident, ESD says.
SAO also said that the intrusion happened in late December 2020, but that Accellion only confirmed the incident on January 25, 2021.
As part of the investigation launched into the matter, SAO attempted to identify which files from state agencies and local governments were affected, as well as the individuals who might have had their personal information stolen.