The personal information of more than a quarter-million licensed professionals may have been exposed in a breach of a Washington State Department of Licensing database, agency officials said Friday.
The agency, which licenses around 40 categories of businesses and professionals — everything from auctioneers and private detectives to tattoo artists and real estate agents — said it temporarily shut down its online licensing system, known as POLARIS, Jan. 24 shortly after learning of “suspicious activity involving professional and occupational license data,” according to a spokesperson and a statement posted Thursday on the agency’s website.
Data stored on POLARIS “may include Social Security numbers, birth dates, driver’s license numbers and other personally identifying information,” but the agency doesn’t yet know whether such data was actually accessed or how many individuals may have been affected, agency spokesperson Christine Anthony said in a statement Friday.
There was also “no indication” that the incident had affected other agency data, “such as driver and vehicle licensing information,” agency officials said, adding that all other Department of Licensing systems were operating normally.
Anthony said the agency has been working with the state Office of Cybersecurity, the state Attorney General’s Office and a third-party cybersecurity firm “to fully understand the extent of the incident and take all other appropriate action” and “will release more information when we know more.”
In the meantime, the shutdown of the POLARIS system is causing problems for some professionals and firms that need to apply for, renew or modify their licensing.
The disruption comes at a busy time for real estate agents, appraisers and home inspectors as the state’s real estate market begins to pick up after its typical winter slowdown.
“It’s a horrible time,” said Reis Pearson, an inspector and president of the American Society of Home Inspectors of Washington State.
Even before the breach, the organization had struggled to get state approval for ongoing education courses that are required of inspectors, he said. That process is now likely to be delayed further, just as inspectors’ work gets busier.
Steve Francks, CEO of Washington Realtors, said his members know the department is trying to “fix this problem and restore online services” as quickly as possible, but added that there is “frustration with the lack of communication … regarding a firm plan to fix those issues.” The state has roughly 40,000 licensed Realtors, according the group.
Another possible frustration: the Department of Licensing opened a call center Friday to handle questions about the incident — 855-568-2052 — but said the center would be at limited capacity until Monday.
Officials at the Office of Cybersecurity sounded the alarm of a possible breach after detecting “chatter” about the Department of Licensing on the “dark web,” said state Sen. Reuven Carlyle, D-Seattle, referring to part of the online world where users can mask their identities with special technology and where personal data stolen in data breaches is bought and sold.
Criminals often use stolen personal data to commit impostor fraud — by, for example, filing false tax returns or applying for unemployment benefits, as happened in Washington in the spring of 2020.
“The issue was brought to our attention [after] someone online claimed to have accessed data,” Anthony said. “Immediately we began investigating, and by the afternoon of Jan. 24, 2022, out of caution we shut down the licensing system.”
But investigators have yet to conclude whether personal data was actually removed by hackers or was merely exposed, said Carlyle, chair of the environment, energy & technology committee, who was briefed by the agency earlier this week.
Only a thorough investigation can determine “whether data was accessible and whether it was accessed and if it was, what the scale of that was,” Carlyle said. Until then, he said, “we just don’t have an answer on that.”
Some users of the site said the Department of Licensing was slow in letting licensees know what was happening. “It’s frustrating that they didn’t notify prospective victims sooner,” a Seattle Times reader noted, adding that the POLARIS system appeared to be “under maintenance for more than a week before they sent out an email yesterday about the potential breach.”
Anthony said the agency had initially posted a maintenance message because officials “hoped the issue could be resolved quickly and without impact to professional licensees.” But “once we became aware that it could be a more complex issue, we changed it to ‘temporarily unavailable,'” she said.
The size of the breach remains unclear. Data from 23 professions and business types licensed by the state is processed via POLARIS, Anthony said.
Within those 23 categories, which also include bail bonds agents, funeral directors, home inspectors and notaries, the agency has around 257,000 active licenses in its system, Anthony said, adding that “there are likely more records that may be identified while conducting our investigation.”
Investigators are also still trying to find the location of the breach — whether it was an internal problem at the Department of Licensing, for example, or with a vendor or other third party, Carlyle said.
“They’re not ready to make a conclusion regarding where in the ‘ecosystem’ there was a weakness,” Carlyle said.
The incident at the Department of Licensing is only the latest in a series of recent data breaches that have struck private firms, government agencies and other organizations in Washington and elsewhere.
In late 2020, a software vendor used by the state Auditor’s Office suffered a data breach that likely led to files being accessed by “an unauthorized user,” the auditor said.
In December and January alone, 25 organizations have notified around 300,000 Washingtonians that they were “at risk of harm because of the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of that resident’s personal information,” according a website at the state Attorney General’s Office.
The almost-routine nature of data breaches was on the minds of many professionals in Washington as they awaited updates from the Department of Licensing.
“It’s always distressing when there’s potential security breach,” said Pearson, with the inspectors’ society. “But it feels like that’s kind of part of the daily news in our current climate.”
What to do if you are hit by a data breach or ID theft
While there is no foolproof way to ensure that your information is safe, there are some steps you can take to protect yourself from identity theft.
Call the companies where the fraud may have occurred.
Work with one of the credit bureaus (Experian, TransUnion and Equifax) to check your credit report for suspicious activity and to place a fraud alert or credit freeze on your credit report.
Report the identity theft to the FTC at IdentityTheft.gov.
File a report with your local police department.
Send a copy of the police report to the three major credit bureaus.
Ask businesses to provide you with information about transactions made in your name. A template for a letter you can complete and send to businesses to request records is available on the Attorney General’s Office website at: https://www.atg.wa.gov/db-letter
If you receive a breach notification or believe that you may be a victim of identity theft, please visit the Washington Attorney General’s website for help.
Information from The Seattle Times archive was included in this report.
The opinions expressed in reader comments are those of the author only and do not reflect the opinions of The Seattle Times.