The Office of the Washington State Auditor (SAO) on Monday said it’s investigating a security incident that resulted in the compromise of personal information of more than 1.6 million people who filed for unemployment claims in the state in 2020.

The SAO blamed the breach on a software vulnerability in Accellion’s File Transfer Appliance (FTA) service, which allows organizations to share sensitive documents with users outside their organization securely.

“During the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service,” the SAO said in a statement.

password auditor

The accessed information is said to have contained personal details of Washington state residents who filed unemployment insurance claims in 2020, as well as other data from local governments and state agencies.

The exact information that may have been compromised include:

  • Full name
  • Social security number
  • Driver’s license
  • State identification number
  • Bank account number and bank routing number, and
  • Place of employment

The unauthorized access incident is believed to have occurred in late December of last year, although it appears the full scope of the intrusion wasn’t made aware until Accellion disclosed earlier this month that its file transfer application was the “target of a sophisticated cyberattack.”

The Palo Alto-based cloud solutions company said on January 11 that it was made aware of a vulnerability in its legacy FTA software in mid-December, following which it claimed it addressed the issue and released a patch “within 72 hours” to the less than 50 customers affected.

Accellion also said it’s contracting with an “industry-leading cybersecurity forensics firm” to investigate the incident.

Given that the compromised information can be abused to carry out identity theft or fraud, the SAO said it’s in the process of arranging measures to protect the identities of those whose information may have been contained within SAO’s files.

In the meanwhile, the agency recommends reviewing account statements and credit reports, notifying financial institutions of any suspicious activity, and reporting any suspected incidents of identity theft to law enforcement.

It’s worth noting that Accellion’s FTA software was used as an attack vector to strike two other organizations, including the Australian Securities and Investments Commission (ASIC) and the Reserve Bank of New Zealand (RBNZ), in recent weeks.