The personal unemployment claims data of at least 1.4 million Washingtonians may have been stolen in a hack of software used by the state auditor’s office, Auditor Pat McCarthy said Monday.

In a news release, McCarthy said the data, including Social Security numbers and banking information, was exposed in a breach in December of Accellion, a software provider the auditor’s office used to transfer large computer files.

In a head-slapping irony, the compromised data had been collected as part of the auditor’s investigations into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims.

“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens,” McCarthy said in a statement.

The auditor’s office said the breach affects personal information of people who filed for unemployment claims with ESD between Jan. 1 and Dec. 10, 2020.

auditor hack What to do if your unemployment data was exposed The state auditor’s office has set up a web page with resources and information on what to do if you believe your personal information has been exposed. Visit: https://sao.wa.gov/breach2021/

The auditor’s office emphasized that the problem did not originate with ESD, which has been under scrutiny over questions about its own security measures following last spring’s fraud. “I want to be clear: This was an attack on a third-party service provider. The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident,” McCarthy said.

A news conference on the breach was scheduled for Monday afternoon by McCarthy, who said her office is working closely with state cybersecurity officials and law enforcement.

The data breached on 1.6 million unemployment claimants includes their names, social security numbers and/or driver’s license or state identification number, bank information, and place of employment, the auditor’s office said.

In addition, some personal information of a smaller number of people was compromised, including data held by the Department of Children, Youth and Families, according to the auditor. Some nonpersonal financial and other data from local governments and state agencies also was exposed.

The Joel York, Accellion’s chief marketing officer, said in an interview the data breach involved the company’s 20-year-old “legacy product,” known as FTA, which the company has been encouraging customers to stop using.

“It just wasn’t designed for these types of threats,” York said.

He said the company has been encouraging users for years to upgrade to Accellion’s newer product, known as kiteworks. The auditor’s office upgraded to that product after the data breach, he said.

The FTA vulnerability was fixed through software patches after the December breach became known to Accellion, a Palo Alto, California-based company.

“They got caught in this very short window,” York said of the auditor’s office.

The same security breach also affected other Accellion customers including the Australian Securities and Investments Commission and the Reserve Bank of New Zealand.

McCarthy’s office first disclosed what she termed “a security incident” in a statement to The Seattle Times on Friday evening that provided few details on the scope of the breach.

On Monday, other state officials appeared to be letting the auditor’s office take the lead on the incident.

An ESD spokesperson referred all questions about the data breach to the state auditor’s office.

A spokesperson for Gov. Jay Inslee said the governor had spoken with McCarthy “and expressed his deep concern about the data that was exposed by their third party vendor. As a separately elected statewide official, we understand that they are taking responsibility for this and doing everything they can do address it.”

