The records of at least 1.4 million people who have made unemployment claims in Washington state have been stolen following a data breach at the state auditor’s office.

In a statement today, the Office of the Washington State Auditor said that it had been made aware of a security breach involving software they use from Accellion Inc. during the week of Jan. 25. An unauthorized person is said to have gained access to auditor office files by exploiting a vulnerability in Accellion’s file-transfer service.

The data stolen included personal information of Washington state residents who filed unemployment insurance claims in 2020, along with the personal information of other state residents which were being held by the office including data from the Department of Children, Youth and Families. The data included names, Social Security numbers, driver’s license or state identification number, bank information and place of employment.

With some irony, the Seattle Times reported that the unemployment data was being held by the office as part of an investigation into how the state Employment Security Department had lost $600 million in fraudulent unemployment claims.

Of particular note, the state audit office also said other customers of Accellion’s service were similarly affected. Although not originally linked to Accellion at the time, the Reserve Bank of New Zealand is now known to have been affected by the compromise along with the Australian Securities and Investment Commission. The number of Accellion customers affected could be significantly higher again.

“Unfortunately, one of the side-effects of the COVID-19 pandemic has been a huge increase in unemployment claims in the United States and other countries,” Chris Hauk, consumer privacy champion at privacy site Pixel Privacy, told SiliconANGLE. “While it is unknown how many other states and countries may use the affected version of the Accellion file transfer system, it stands to reason that other states and regions may be hit by similar attacks if they do not take immediate action to update their systems.”

Paul Bischoff, privacy advocate with tech research service Comparitech Ltd., noted that Accellion is a widely trusted cybersecurity company used by several big organizations in the public and private sectors. “Although Accellion claims the auditor’s office used a legacy product and that it encouraged an upgrade, the report doesn’t state whether that legacy product had reached end-of-life status,” he said. “If Accellion still officially supported the product, then it should not try to shift blame. If the product has reached end-of-life, then the auditor’s office shoulders the responsibility for not moving on to a supported product.”

Image: Office of the Washington State Auditor