February 1, 2021
The Office of the Washington State Auditor (SAO) confirmed that Accellion, their third-party software vendor, underwent a cyberattack on Christmas Day December 25, 2020.
This latest and targeted attack resulted in at least 1.6 million Washington residents (those who had filed unemployment insurance claims between January 1 to December 10, 2020) whose personal data may have been compromised. The information that was breached includes Personally Identifiable Information (PII) including the person’s name, social security number, place of employment, and bank account number.
According to Accellion, the third-party vendor whose system was breached, they notified their customers about the data breach on January 25, 2021, a month after the attack. They explained that the attack happened while they were conducting routine file transfer services with SAO. The attackers found a software vulnerability that compromised SAO files from the Employment Security Department (ESD). The company described the attack as "highly sophisticated" and added that the software that was targeted is File Transfer Appliance (FTA), their legacy file transmitting product.
According to the statement by the SAO, other local governments and state agencies who contract with Accellion were also affected and they are currently determining if the files that were included in the breach contained additional PII information.
The SAO set up a webpage dedicated to educating, answering questions regarding possible identity theft, and offering updates and more on what happened. The office is conducting an investigation and working with state cybersecurity officials, law enforcement, the Employment Security Department, and others to try to alleviate the damage. Another solid reminder that we’re only as safe as our weakest link, particularly when it comes to supply chain information security.
You share the risks of your third-party vendors, so if they are vulnerable, so is your whole organization. The legal department faces different challenges every day but you can lessen the burden with Counself Risk. Start streamlining your process and eliminate manual vendor risk management processes with a secure, collaborative, and automated solution. Your department will be able measure and manage third-party risk conveniently, centrally, and with a full audit history. Firms will respond thoroughly to client due diligence and information security questionnaires, requests, and audits.