The Washington State Auditor’s Office (SAO) has reported a cybersecurity incident in which more than 1 million people’s confidential details could have been hacked.
Accellion programme used for file transfers was at the centre of the crash, SAO says. A vulnerability fault in the file sharing programme was abused by hackers and access to restricted data was obtained.
In mid-December, Accellion’s operation, named FTA (File Transfer Application), received a fix for a crucial vulnerability affecting fewer than 50 customers. The patch was submitted to all organisations impacted.
Nevertheless, hackers have abused the insecure service to breach the networks of other clients of Accellion, such as the Reserve Bank of New Zealand and the Australian Securities and Investments Commission (ASIC).
In its violation notice this week, SAO disclosed that “personal information of Washington state residents who filed unemployment insurance claims in 2020” was found in some of the files that were hacked in the incident.
Other citizens of Washington may also have been involved, as their data was analysed by SAO in state department or city government archives.
Though SAO did not include information on the number of users impacted, a warning was released by the Job Protection Department (ESD) about the incident, disclosing that it may have affected more than one million people.
Names, bank account numbers, bank routing numbers, social security numbers, driver’s license/state identification numbers, and work locations can be included in the affected data.
The number increases to nearly 1.6 million unemployment reports that may have been impacted by the incident as “other information from state agencies and local governments” is included, ESD says.
SAO also stated that the attack occurred in late December 2020, but that the event was only confirmed by Accellion on 25 January 2021.
As part of the investigation conducted into the matter, SAO sought to locate which files were affected by state departments and local governments, as well as persons who may have stolen their personal records.