New breach exposes data of 1.6 million Washington state residents who filed for unemployment in 2020

While Washington state is still reeling from a massive breach at the Employment Security Department (ESD) this past spring which allowed over $600 million dollars to be stolen from unemployment funds, a new breach has been detected which has compromised the personal information of more than 1.6 million Washingtonians who filed for unemployment claims in 2020.

During the process of investigating the original data breach, the Office of the Washington State Auditor’ s State Auditor Pat McCarthy’s said the hack was due to a third party software provider named Accellion, which "hosted file transfer services."

According to a statement released by McCarthy’s office "During the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service. Some of the SAO data files contained personal information of Washington state residents who filed unemployment insurance claims in 2020. The compromised files may also include the personal information of other Washington residents who have not yet been identified but whose information was in state agency or local government files under review by the SAO."

McCarthy said in the release on Monday, "I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime."

According to the Seattle Times, McCarthy emphasized "I want to be clear: This was an attack on a third-party service provider. The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident."

The State Auditor’s Office the breach occurred on Dec. 25 and may have affected; Personal information of people who filed for unemployment claims from Jan. 1 to Dec. 10, 2020, data from the Department of Children, Youth and Families, financial and other data from local governments and state agencies.

A representative for Accellion told The Seattle Times that the breach involved a "20-year-old ‘legacy product’ which the company has been encouraging customers to stop using."

This breach has revealed a systemic problem with cyber security in Washington state government agencies. In September, the US Labor Department allocated $100 million to be used by states to combat cyber fraud. According to the Spokesman Review, "Washington’s unemployment system missed potential red flags, including payments to out-of-state banks and the use of suspicious email accounts, according to security experts. All of that happened despite a $44 million software upgrade at ESD that was supposed to help detect such fraud." Thousands of Washingtonians went months without receiving their unemployment checks. According to an audit of the ESD, the computer upgrade failed to account for the "human factor."

An audit of the agency found that through the end of June 2020, the ESD had lost $600 million dollars to Nigerian scammers of which they claimed to have recovered only $250 million of the missing funds. ESD said that more had been recovered since June for a total at the time of $357 million. Original estimates placed the loss at closer to $1 billion, though a large amount of the difference was recovered when the fraud was detected.

The audit also revealed that the security and identification process ESD had been using for the years were inadequate to protect the data despite the significant investment by the legislature on behalf of the taxpayers of Washington prior to the economic crisis, and ESD failed to correct or recognize the problems.

The audit also discovered that former ESD Commissioner Suzie LeVine, who has been named to a position in the Biden administration now in charge of federal funds to states for unemployment, had ESD deliberately bypass the waiting period for benefits, and disabled security and verification processes, in order to send out unemployment checks faster. That action was taken by LeVine at the urging of Democrat Governor Jay Inslee. LeVine was a political appointee of Inslee’s who had been a donor to his campaign. Her and her husband donated over $400,000 to the Biden campaign and other Democrat causes in 2019 and 2020.

The fraud was so widespread that 59 employees of ESD had fraudulent unemployment claims made against their own benefit accounts. LeVine has also been accused of imposing "significant constraints" on the auditors as they investigated ESD.

The Washington State Auditor has posted links to help those affected protect their identity which can be found here.