Personal data of 1.4 million Washington state unemployment claimants exposed in hack of state auditor

This story is a fractal of facepalms.

The auditor’s office said the breach affects personal information of people who filed for unemployment claims with ESD between Jan. 1, 2020 and Dec. 10, 2020, and included a total of 1.6 million claims.

So basically, everyone who applied for unemployment in WA due to the pandemic.

In a head-slapping irony, the compromised data had been collected as part of the auditor’s investigations into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims.

(background on that, from June)

State Auditor Pat McCarthy said Monday the records — including Social Security numbers and banking information — were exposed during a December breach of Accellion, a software provider the auditor’s office uses to transfer large computer files.

So not just normal personal information, but also banking details.

And the actual breach occurred in...legacy software that the publisher says no one should use anymore.

Joel York, Accellion’s chief marketing officer, said in an interview the data breach involved the company’s 20-year-old “legacy product,” known as FTA, which the company has been encouraging customers to stop using.

“It just wasn’t designed for these types of threats,” York said.

He said the company has been encouraging users for years to upgrade to Accellion’s newer product, known as kiteworks. The auditor’s office was in the process of moving to that product at the time of the data breach, he said.

Asked why her office had relied on software Accellion has described as aging and less secure than its newer product, McCarthy said the state paid an annual subscription fee for the service for the past 13 years and relied on it to be safe.