Washington state lawmakers criticized the state auditor’s office during a hearing on Thursday for not being more forthcoming about a recent data breach that exposed the personal information of 1.3 million residents.
Auditor Pat McCarthy’s office announced last month that one of its IT vendors, Accellion, which provides file-sharing and collaboration software, experienced a major breach. It soon became apparent that McCarthy’s office was just one of many Accellion clients swept up in a breach that was first detected last December after the company was made aware of a zero-day vulnerability in its file-transfer application that malicious actors had exploited.
Among the files in McCarthy’s office that were exposed was information from the Washington Employment Security Department containing data about unemployment insurance recipients dating back to 2017, including people’s names, dates of birth, home addresses, Social Security numbers and banking information. Other known victims of the Accellion breach include the University of Colorado and several major corporations, including the supermarket chain Kroeger and aircraft manufacturer Bombardier.
While the auditor’s office made its first public announcement of the breach on Feb. 1 — prompting Gov. Jay Inslee to call for a sweeping consolidation of the state government’s cybersecurity posture — it was notified of the incident on Jan. 12. During Thursday’s state Senate hearing, lawmakers demanded answers about the delay in reporting.
“It just doesn’t quite make sense to me,” state Sen. Karen Keiser told one of McCarthy’s staff members, according to The Seattle Times.
Janel Roper, the director of administrative services in McCarthy’s office, said its disclosure was quicker than Kroeger’s, but Keiser said she did not care about other victim organizations.
State senators also wanted to know why the auditor’s office was holding so much information collected from the state unemployment program. While McCarthy is investigating how the ESD fell victim to so much unemployment fraud last year — at one point the state had paid out $300 million in phony benefits — lawmakers asked if those audits could be conducted with a smaller collection of records.
State Sen. Reuven Carlyle, who is shepherding the cybersecurity overhaul bill through the legislature, called the auditor’s office’s data collection “extremely expansive.”
On its website, the State Auditor’s Office says it is now in the process of notifying the 1.3 million people whose information was exposed in the breach, including an offer for 12 months of free credit monitoring. Meanwhile, details of the Accellion breach continue to surface. Last week, the Cybersecurity and Infrastructure Security Agency joined cybersecurity authorities from the U.K., Australia, New Zealand and Singapore in warning that the impact is likely to encompass numerous sectors, including state and local government.
“Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors,” the advisory read.
Carlyle’s bill would centralize the state government’s cyber efforts by formalizing the role of Washington Technology Solutions’ Office of Cybersecurity and giving the state chief information security officer the authority to set governmentwide standards. Agencies would be required to follow these standards and undergo compliance audits at least once every three years.
The bill, which outgoing Chief Information Officer Jim Weaver endorsed, passed the state Senate unanimously Feb. 24, and is currently being deliberated in the state House of Representatives.