Unemployment Data Breach Investigation Continues

OLYMPIA, WA — Investigators are learning more about the recent data breach which compromised the private information of up to 1.6 million Washingtonians.

The Washington State Auditor’s Office (SAO) confirmed Monday that hackers had exploited a vulnerability in third-party provider Accellion's data transfer software, gaining access to unemployment data the SAO had placed in Accellion's care.

Now, they're working to learn more about the breach, including exactly how many people had their data stolen.

Washington State Auditor Pat McCarthy says the breach likely happened in December, but it wasn't until January that her office was notified.

"This news is unwelcome at any time, but especially during this year of so many stressors," McCarthy said. "I am truly sorry to share this news, and I am committed to doing everything we can to mitigate the harm caused by this crime."

The stolen data likely includes the personal information of anyone who filed an unemployment claim between Jan. 1 and Dec. 10 last year. It may also include the data of several state employees, and anyone whose information was used to file a fraudulent unemployment claim in early 2020 — the auditor's office had the data in the first place because they had been investigating how the Employment Security Department had let 122,000 "known or probable" fraudulent claims slip through their system, allowing scammers to steal $600 million from the state through bogus unemployment claims.

As for exactly whose data was stolen, the SAO is still figuring that out. As the SAO explains:

"The identities and information of individual people are contained in voluminous data files. We are working diligently to extract the identification and information about each person who was affected. We will provide the right information to the right people at the right time. We are doing our best to balance the need for transparency and the need for security. We are committed to sharing all that we can when it is appropriate."

The auditor's office continues, saying it expects to begin notifying individuals who had their data stolen soon, pending approval from its insurance company and legal counsel. t

"Although we do not have a firm date right now, SAO is doing everything in its power to have this process begin quickly."

The SAO has also promised to provide further resources and support to any Washingtonians whose data was compromised. In the meantime, they've set up a website providing guidance for potential victims at sao.wa.gov/breach2021/.

Washingtonians who are concerned that their data may have been compromised by the breach should double-check their bank account statements and credit reports for any suspicious activity, and may want to consider a credit freeze or place a fraud alert on their credit reports.

Find answers to more frequently asked questions from the Washington State Auditor's Office.