The personal identifiable information (PII) of over 1.4 million Washington State citizens was compromised in a cyber attack that has further complicated an already messy unemployment claims fiasco.
In June of 2020, the Employment Security Department (ESD) in Washington State was scammed out of an estimated $650 million due to fraudulent unemployment claims. After a lengthy investigation which left many legitimate Washingtonians waiting on their unemployment benefits for weeks, the breach was linked to a crime ring in Nigeria. Nicknamed Scattered Canary, the group used stolen PII to file thousands of fake unemployment claims across the country.
On February 1, nearly nine months later, Washington State Auditor Pat McCarthy released a statement regarding a data breach in December that exposed the social security numbers, driver’s license numbers, bank information, and place of employment. Over 1.4 million Washingtonians who had filed unemployment claims between January 1 and December 10 were affected. With this information, it is possible for the nefarious actors to reroute unemployment checks into fraudulent accounts. Washingtonians who may have been affected are advised to close their accounts and open a new one. Ironically, the breach took place during an audit of the June incident.
The ESD is insistent that this new breach—after the criticism it faced for the spring breach—is not responsible for this incident. Instead, the blame is placed on Accellion, a third-party file transfer software used by the auditor’s office.
Accellion’s chief marketing officer, Joel York, counters that the software used by the auditor’s office is one of their legacy products and that clients have been advised to discontinue its use. Accellion’s new product, kiteworks, has taken its place and is better equipped to combat against cyber threats. For her part, McCarthy claims that the state has been paying a monthly subscription fee for FTA, the outdated software, which led her to assume that the product was safe. She denies the receipt of any warning that the software needed replacing.
Accellion released an updated statement regarding the December breach that read in part, “All FTA customers were promptly notified of the attack on December 23, 2020. At this time, Accellion has patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.”
The ESD incident exemplifies several vulnerabilities in today’s cyber threat landscape. Hackers are targeting new and/or overloaded systems that have been necessitated by COVID-19, including healthcare, remote learning/working programs, and taxed government systems.
Additionally, cyber security experts often point to third-party software as common vulnerabilities for organizations. When using outside software, the enterprise is at the mercy of the vendor’s cyber security. The onus is also on the enterprise to stay on top of security alerts, updates, and patches which can be missed during tumultuous times.
Third-party risk management (TPRM) is the process of maintaining a clear picture of vendor goings-on throughout the lifecycle of the relationship. Managing TPRM is worth the time and monetary investment. In 2020, Ponemon Institute reported that over 53% of organizations have experienced at least one data breach caused by a third party. The average remediation cost of such a breach is $7.5 million.
AT&T Cybersecurity suggests these five tips to remediate the risks that third-party vendor relationships inherently hold, which are summarized below:
- Identify all of the organizations in your third-party ecosystem.
- Classify each third-party vendor by risk, i.e. the access that vendor has to valuable data, etc.
- Assess vendors for reputability and a holistic cyber security strategy.
- Create remediation policies for third-party vendors.
- Continuously monitor third parties for contract adherence and strong cyber security practices
Read More: Incident Of The Week