Data breach exposes 1.6 million Washington state residents who filed unemployment claims in 2020

Washington State Auditor Pat McCarthy. (State Auditor’s office Photo)

The Office of the Washington State Auditor is investigating a security incident which has compromised the personal information of more than 1.6 million people who filed for unemployment claims in the state in 2020.

State Auditor Pat McCarthy’s office blamed the breach on a third party software provider named Accellion, whose services are used to transmit computer files.

“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic,” McCarthy said said in a news release Monday. “This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime.”

The Seattle Times noted that the compromised data had been collected as part of the auditor’s investigation into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims.

“I want to be clear: This was an attack on a third-party service provider,” McCarthy added. “The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident.”

The State Auditor’s Office (SAO) said the incident happened on Dec. 25 when unauthorized access to numerous files held on the service provider’s system occurred.

According to SAO, data affected may have included:

  • Personal information of people who filed for unemployment claims from Jan. 1 to Dec. 10, 2020. In addition to members of the general public, this group includes many state employees, as well as people whose identity was used to file for claims fraudulently in early 2020. SAO was reviewing all claims data as part of an audit of that fraud incident. The data involves about 1.6 million claims and included the person’s name, social security number and/or driver’s license or state identification number, bank information, and place of employment.
  • Personal information of a smaller number of people, including data held by the Department of Children, Youth and Families.
  • Non-personal financial and other data from local governments and state agencies.

A representative for Accellion told The Times that the breach involved a 20-year-old “legacy product” which the company has been encouraging customers to stop using. Accellion had reportedly been encouraging users to upgrade to a newer product, which the auditor’s office did after the data breach, according to Accellion Chief Marketing Officer Joel York.

SAO said it is working closely with state cybersecurity officials, law enforcement, the Employment Security Department, the Department of Children, Youth and Families, and legal counsel.

The agency has a web page dedicated to the incident with more information for those who are concerned about possible identity theft.