Your Hometown News Source

State Auditor hacked; 1.4 million records compromised

OLYMPIA–The Office of the Washington State Auditor (“SAO”) was recently made aware of a security breach involving Accellion, a third-party provider of hosted file transfer services. During the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service. Some of the SAO data files contained personal information of Washington state residents who filed unemployment insurance claims in 2020. The compromised files may also include the personal information of other Washington residents who have not yet been identified but whose information was in state agency or local government files under review by the SAO.

This matter is under ongoing investigation by SAO. SAO is committed to providing timely and accurate information about what happened and who is affected when available, as permitted and appropriate. As such, this page will be updated from time to time on the SAO website as SAO obtains additional information.

Accellion stated that they believe the unauthorized access occurred in late December of 2020. Other customers of this Accellion service were similarly impacted. SAO is currently seeking a full understanding of the timeline of the incident and the status of Accellion’s investigation and the investigation by law enforcement. At this time, SAO does not have enough information to draw conclusions about the timing or full scope of what took place.

It was not until the week of January 25, 2021, that Accellion confirmed to SAO that SAO files were subject to this attack and provided the information needed for SAO to begin to identify which data files were impacted and individuals whose personal information is in those files.

What information was involved? The data files are voluminous and SAO is in the process of reviewing the impacted files to identify the types of data, agencies, and individuals involved. SAO will provide updates about the types of information involved as soon as that information becomes available through the investigation. At this time, SAO has determined that data files from the Employment Security Department (ESD) were impacted. These ESD data files contained unemployment compensation claim information including the person’s name, social security number and/or driver’s license or state identification number, bank account number and bank routing number, and place of employment.