Washington State’s Employment Security (ESD) Office announced this week: “We were notified of a cyber security incident in the State Auditor’s Office (SAO) involving data that may have been stolen from their third-party vendor. While ESD’s systems have not been breached or hacked, the data with the SAO includes personal information for more than a million individuals who filed unemployment claims in 2020, as well as other information from some state agencies and local governments. In all, roughly 1.6 million claims are likely impacted.”
This means the social security numbers and banking information of 1.6 million Americans was stolen during a breach last December. The users were citizens of Washington State that had filed for unemployment benefits between January 1, 2020 and December 10, 2020. The irony is that the data was stolen during an audit of the ESD to determine how they had “lost hundreds of millions of dollars to cyberfraudsters, including a Nigerian crime ring known as Scattered Canary” of how they were securing user data. The vulnerability was detected in third-party software from Accellion that was used by the State Auditor Office to transfer large files. Unfortunately, the breach was not detected until late January. The software involved has since been patched and the customers using the software have been notified. But the damage is done. Identity theft is a serious problem in the world today, in fact it is Identity Theft Awareness week.
Breaches seem to occur on at least a weekly basis. Accellion has done what is necessary for now: detected the breach and responded, but what can we learn from this?
There are two main takeaways from this breach. Security and IT teams should implement a:
Data-Centric Security Approach
It is not enough to protect the systems or even the networks within your organization. You need to start understanding that the traditional security perimeters that originally extended to an organization’s physical walls are no longer there. This fact has certainly come to the forefront with the move to a remote workforce over the last year. With workers now working from home, possibly from personal computers, definitely over their own WiFi networks, that traditional perimeter has been blown away.
The Washington State’s ESD data breach didn’t occur because of the software they were using. It occurred because of the third-party software the Auditor’s office was using. The data was beyond their traditional barrier. If they had taken a data-centric approach to protecting that data might have been obfuscated so that if someone had captured it in transit as it was in this case, they would not have been able to read the data. Those 1.6 million Americans don’t care why their personal data was breached, they only care that it was breached. They gave it to the ESD and they expected the ESD to keep it safe. Therefore, it was on the ESD to ensure that the data was safe no matter where it was.
Security First Mentality
A data-centric security approach is part of a Security First mentality. When an organization keeps security as one of its top priorities, it focuses as our own Niamh Mulldoon stated, “on people, processes, and technology controls to protect data processed and stored, whether it’s within their own organization or with a third party.” Keeping software and systems up to date, reviewing the security practices of third-party vendors, ensuring that data is safe no matter where it is are all top of the mind in a Security First organization.
Unfortunately, this will not be the last of what we hear about the Washington State breach. The fallout will continue for a long time and could cost millions of dollars in the end. When an individual gives an organization their personal information, they expect the organization to keep it safe. Organizations have to realize that their responsibilities follow the data wherever it goes. Only when we see a shift in this perimeter-based security approach will we see a decrease in the frequency of these data breaches.
See how OneLogin is committed to data trust and security.