State lawmakers probing the massive data breach at state Auditor Pat McCarthy’s office say they’re frustrated with ongoing secrecy surrounding the incident, which exposed personal information of at least 1.3 million Washingtonians.
Three state senators who have pressed for details about the breach say the auditor’s office has conditioned private briefings on a confidentiality agreement, meaning they cannot share all they learn publicly.
The auditor’s office has justified holding briefings under so-called attorney-client privilege because the agency is being sued over the data breach, according to the lawmakers and internal emails describing the dispute.
Lawmakers say that unusual restriction cuts against transparency and could impede public oversight of the auditor’s office, run by McCarthy, an independently elected statewide official.
State Sen. Karen Keiser, D-Des Moines, said she is refusing to participate in a confidential briefing. Keiser, who chairs the state Senate’s Labor, Commerce & Tribal Affairs Committee, plans to question auditor’s staff about the hack at a committee hearing on Thursday.
“I could not abide by an attorney-client privilege conversation, and then hold oversight hearings,” Keiser said. Trying to “keep a wall between what I know [from the briefing] and what I ask about [at a public hearing] doesn’t work.”
Keiser, who has served in the legislature since 1996, said she could not recall receiving a similar request before from an agency.
Two other state senators — Reuven Carlyle, D-Seattle, and Joe Nguyen, D-White Center — say they reluctantly agreed to the restrictions in order to get a fuller accounting of the Dec. 25 breach, which reportedly occurred when cybercriminals broke into a digital-file transfer service run by Accellion, a California software provider hired by the auditor’s office.
“I am willing to participate. It’s outrageous that this is their approach, but it’s vital to understand what is going on,” Carlyle said in a Feb. 25 email to Keiser, Nguyen and legislative attorneys.
Nguyen, a Microsoft senior program manager, said he wanted to speak directly with the auditor’s technical staff to better understand how the breach occurred, but was told the conversations could only happen if he agreed to keep them secret. “The fact that we both have lawyers talking to each other and not, you know, the technology experts is very telling,” he said in an interview.
McCarthy’s office defended its approach, saying it is working with lawmakers to provide information they need. The auditor “is firmly committed to public oversight of and insight into the Accellion data incident and related investigation,” said Kathleen Cooper, an auditor spokesperson, in an emailed statement.
Cooper said the auditor “will not hide behind attorney-client privilege” and would only shield information “to the narrowest extent possible to balance transparency while protecting our ability to defend ourselves in court.”
The data breach occurred beginning late last year, when unknown cybercriminals hacked into a file-transfer service, known as FTA, sold by Accellion. That breach has swept up a growing number of companies and public institutions, including the Kroger grocery chain, the University of Colorado and a New Zealand bank.
In the Washington’s case, the compromised data had been collected as part of the auditor’s investigations into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims last year.
In conducting its probe, the auditor gathered detailed records on more than 1 million unemployment claims filed in 2020, including legitimate applications and others filed by fraudsters in the names of Washingtonians.
The records contained personal identifying information that could be used by criminals for identity theft or financial fraud, including Social Security numbers, dates of birth, street and email addresses and bank-account numbers.
Several lawsuits already have been filed over the data breach, most targeting Accellion, but at least one naming McCarthy’s office as well. The auditor’s office has started sending individual notifications to persons affected, with an offer of a year of free credit monitoring.
Carlyle said in an interview he didn’t think the auditor was trying to hide anything, but that its restrictions raise questions about the legislature’s ability to oversee an independent agency with considerable authority to collect sensitive data.
“There’s an incredibly serious … issue on the table, which is who audits the auditor?” said Carlyle, who chairs the Senate Environment, Energy & Technology Committee and is sponsoring legislation aimed at shoring up state cybersecurity practices. “We have a responsibility to the public to be transparent, and in my view the state Auditor’s Office lawyered up quicker than a New York minute.”
Keiser said she plans to press McCarthy’s staff on Thursday as to why they needed to collect so much highly sensitive data from ESD. “I wondered at the time whether they needed that much personal information and I still don’t have an answer to that,” she said.
Toby Nixon, longtime president of the Washington Coalition for Open Government, said there are sometimes legitimate reasons to limit disclosure of sensitive government information, such as to protect private data or shield ongoing criminal investigations.
But, Nixon said, public agencies too often overuse such excuses to hide important facts. “I think that their impulse is to circle the wagons, prevent people from holding them accountable in any way,” he said.
Thursday’s hearing about the auditor data breach starts at 8 a.m. and will be streamed by TVW.org