The state Auditor’s office is planning on sending notifications out to the estimated 1.3 million people that were affected by a unemployment data breach that occurred in the Auditors computer systems during December last year. The data breach occurred when files were transferred between the Auditors department servers and their third-party security company Accellion.
The irony, and sad reality, is that the Auditors office was investigating the Employment Security Department (ESD) for the $650 million dollars that were stolen in the Nigerian unemployment scam earlier in 2020. The data breach has only made the situation more miserable for those trying to get their unemployment benefits paid.
State Auditor Pat McCarthy was quoted in the Columbian as saying, “I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens.”
The Auditors office offers a cyber security service to local governments, which apparently was not used on its systems and interactions with third party vendors.
With today’s technology-based systems, the reality is that no system is 100% safe, but in this case several reasonable steps appear not to have taken by those handling the data. Similar to the data breach that occurred at WSU in 2017, the data, that should have been stored on secure servers was stolen while it was outside of its intended normal use. In the WSU case, a researcher had data stored on a local drive for analysis and did not follow the appropriate data protection procedures. With the recent breach at the Auditors office, the data had been moved to a third-party file location and was breached, apparently, due to lack security patching on the servers.
The government has a lot of very sensitive data stored servers about Washington residents and a secondary audit should be performed not just on the breach that has occurred, but the states approach to sharing data between agencies.
Questions that need to be asked include (but not exclusively),
- What security precautions are needed to protect data when out of the control of the parent agency? How is this confirmed?
- Who should have access and to what data?
- Can the requirement to access the data be achieved without removing it from the controlling agency systems?
- Can the data be anonymized to reduce the security breach potential?
Private companies are required to follow laws to protect both the security and the privacy of consumer data and recent proposals such as the Washington Privacy Act should also be applied to state agencies.
Its time the agencies take the protection of personal data seriously.
For those concerned that their data may have been part of the breach, the Auditor has published a webpage for more information and steps you can take to protect your accounts and credit.