Cyber Incident Victim: Washington State Auditor's Office
Date:
Dec 2020
Location:
United States of America
Summary
A data breach at the Washington State Auditor's office exposed sensitive personal information from approximately 1.6 million unemployment claims and additional files from local governments and state agencies. The incident occurred after threat actors exploited a zero-day vulnerability in Accellion's legacy secure file transfer service, with unauthorized access occurring during late December. Compromised data included names, Social Security numbers, driver's license or state identification numbers, bank account details, and workplace information. The office was notified by Accellion in late January that their files were affected, prompting investigations into the full scope of impacted data. Multiple other organizations using Accellion's service, including financial institutions and academic entities, experienced similar breaches due to the same vulnerability before patches could be applied. The incident remains under investigation by law enforcement and the vendor.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Washington State Auditor office (SAO) experienced a data breach resulting from the exploitation of a zero-day vulnerability in Accellion’s legacy secure file transfer service (FTA). The unauthorized access occurred in late December 2020, though Accellion did not confirm the compromise of SAO files until the week of January 25, 2021. Attackers gained access to files transferred via Accellion’s service, including 1.6 million unemployment compensation claims from the Employment Security Department (ESD). These files contained sensitive personal information such as names, Social Security numbers, driver’s license or state identification numbers, bank account and routing numbers, and workplace details. Data from some Washington local governments and other state agencies was also compromised, though the SAO’s investigation into the contents of these additional files remained ongoing at the time of reporting. Accellion had identified the actively exploited vulnerability in mid-December 2020 and deployed a patch to all customers, but the SAO lacked sufficient information to determine the full scope or precise timeline of the incident. The SAO initiated its own investigation upon receiving confirmation from Accellion, coordinating with law enforcement and seeking clarity on Accellion’s findings.
The breach impacted multiple Accellion customers globally, including the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and Harvard Business School (HBS). HBS confirmed unauthorized third parties accessed files containing personal information between December 21 and December 23, 2020, after applying a vendor-supplied patch. Cybersecurity industry sources attributed these breaches to the same Accellion FTA vulnerability. The SAO’s breach notification highlighted the exposure of ESD data but did not confirm whether threat actors exfiltrated or misused the compromised files. Accellion’s FTA service was widely used by financial institutions, government agencies, and organizations requiring secure external document sharing, suggesting potential additional breaches. The SAO’s investigation focused on identifying affected individuals and determining the extent of data exposure across all impacted files, while Accellion faced scrutiny over its disclosure timeline and the scope of vulnerabilities in both its legacy and modern KiteWorks platforms.