The Office of the Washington State Auditor (SAO) has disclosed a cybersecurity incident in which the personal information of more than 1 million individuals might have been stolen.
At the heart of the incident, SAO says, was Accellion software used for file transfers. Hackers exploited a security flaw in the file sharing service and gained access to restricted files.
Called FTA (File Transfer Application), Accellion’s service in mid-December received a patch for a critical vulnerability impacting less than 50 customers. The fix was sent to all affected organizations.
Despite that, the vulnerable service has been exploited by hackers to breach the systems of other Accellion customers as well, namely the Reserve Bank of New Zealand and the Australian Securities and Investments Commission (ASIC).
In its breach notification this week, SAO revealed that some of the files that were compromised in the incident contained “personal information of Washington state residents who filed unemployment insurance claims in 2020.”
Other Washington residents might have been affected as well, as their information was in state agency or local government files that SAO was reviewing.
While SAO did not provide details on the number of impacted users, the Employment Security Department (ESD) issued an alert on the incident, revealing that more than one million individuals might have been affected.
The affected data can include names, bank account numbers, bank routing numbers, social security numbers, driver’s license/state identification numbers, and places of employment.
When “other information from state agencies and local governments” is added, the figure rises to approximately 1.6 million unemployment claims that might have been affected in the incident, ESD says.
SAO also said that the intrusion happened in late December 2020, but that Accellion only confirmed the incident on January 25, 2021.
As part of the investigation launched into the matter, SAO attempted to identify which files from state agencies and local governments were affected, as well as the individuals who might have had their personal information stolen.
Related: Clothing Brand Bonobos Notifies Users of Data Breach
Related: Kawasaki Says Data Possibly Stolen in Security Breach
Related: Private Prison Operator GEO Group Discloses Data Breach

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
