Support The Wire

Cybersecurity firm issues final report on breach that exposed Washington State Auditor files

FireEye Mandiant, a cybersecurity forensics firm, released findings today from its investigation into recent cyberattacks which exposed the personal information contained in 1.6 million unemployment claims filed by Washingtonians.

The breach took place in December 2020 and January 2021 on Accellion, a third-party software vendor used by the Office of the Washington State Auditor (SAO) to store data files. The breach struck Accellion’s legacy File Transfer Appliance (“FTA”) product.

The report issued by Mandiant today contained two key findings:

  • Accellion has remediated all known FTA vulnerabilities.
  • Mandiant did not identify any additional vulnerabilities that were exploited by the attackers. During their investigation, Mandiant did identify two new vulnerabilities, which Accellion says have since been remediated. Mandiant did not find evidence which indicated that these two specific vulnerabilities were exploited in the breach.

Charles Carmakal, SVP and CTO of FireEye Mandiant, said,

We worked closely with the Accellion team over the past several weeks to review the Accellion FTA solution. We have concluded our security assessment and determined that effective patches have been made available for all Accellion FTA vulnerabilities known to have been exploited by threat actors in December 2020 and January 2021. As part of our engagement, Mandiant performed penetration testing and code review of the latest version of the FTA solution (9.12.444) and we have confirmed that Accellion has closed all identified FTA vulnerabilities.”

According to SAO, the agency was alerted in mid-January of 2021 to a potential security incident involving Accellion. In subsequent weeks, SAO learned that an unauthorized person gained access to data stored in SAO’s file transfer account with Accellion, the agency says.

SAO later learned from Accellion that the impacted files contained personal information of individuals, among others, who filed unemployment benefit claims in 2020 with the Employment Security Department (ESD). The files may have contained the person’s name, social security number, date of birth, street and email addresses, bank account number and bank routing number.

In its description of the incident, SAO wrote that the “Accellion service was not managed by ESD and ESD bears no responsibility for this data breach.”

SAO’s website says a process is under way to notify people whose unemployment benefits claims information may have been exposed. The agency also says it is also evaluating other tools and protocols for sharing data files in the future.

Last week, the Washington State Senate passed legislation requested by Governor Jay Inslee that would create an Office of Cybersecurity (OCS) to establish security standards that state agencies would be required to meet.

Your support matters.

Public service journalism is important today as ever. If you get something from our coverage, please consider making a donation to support our work. Thanks for reading our stuff.