A data breach at the Office of the Washington State Auditor has compromised the personal information of 1.6 million Americans.
Social security numbers and banking information were exposed in a breach in December of Accellion, a software provider the auditor’s office used to transfer large computer files.
An official statement said: “The Office of the Washington State Auditor (SAO) was recently made aware of a security breach involving Accellion, a third-party provider of hosted file transfer services. During the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service.
“Some of the SAO data files contained personal information of Washington state residents who filed unemployment insurance claims in 2020. The compromised files may also include the personal information of other Washington residents who have not yet been identified but whose information was in state agency or local government files under review by the SAO.”
Accellion issued a statement saying the security incident regarded one of its legacy products.
“In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20-year-old product that specializes in large file transfers,” the statement said.
“Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.
“Accellion’s flagship enterprise content firewall platform, kiteworks, was not involved in any way.”
John Vestberg, President and CEO of Clavister, said: “It’s as clear an example as we’ve seen for two key components to strengthen cybersecurity processes – the auditing of third parties and the personal responsibility for organisations to make sure that they are as up to date as possible with their software.
“The issue is that those on the wrong side of the law will not be using the same technologies and strategies as they were in the early 2000s, so as criminal strategies develop, so too must the secure systems businesses use.”
Niamh Muldoon, Global Data Protection Officer at OneLogin, said: “This is a great example of the need for organizations to build a comprehensive trust and security program focusing on people, processes and technology controls to protect data processed and stored, whether it’s within their own organization or with a third party.
“This breach emphasizes the importance of a ‘Security First’ culture within organizations who must stay on top of the latest threats. Security must be seen as a business enabler. The State of Washington appears to be taking the right steps in presenting an incident response process and alerting affected citizens.”