People were not even informed until more than a month after their data was stolen.
https://www.geekwire.com/2021/analys...ingly-callous/
Analysis: Washington state's response to data breach affecting 1.4M people is stunningly callous
by Christopher Budd on February 10, 2021 at 7:00 am
...
This means that data entrusted to the Washington State Employment Security Department was handed in trust to the Washington State Auditor as part of its audit. As part of that process, the data was stolen while in the care of Accellion, a vendor selected by the Washington State Auditor for secure data transmission and presumably used for the audit. Further, if Accellion?s statements are true, it was stolen when attackers breached a ?20-year-old legacy product? that Accellion had encouraged customers to upgrade from but the Washington State Auditor did not do until after the breach, closing the barn door after the horse was out.
And it?s important to note that this is critical, easy-to-exploit information including social security numbers, driver?s license or state identification numbers, bank information, and place of employment. This is information that is easily used for bank fraud, identity theft, or both.
...
This brings me to the final point of critique in this response. This data breach is going to disproportionately affect those most vulnerable and at risk; this is data from people who are unemployed during the COVID-19 outbreak. In light of that, any organization, but most especially a government, has an obligation to exceed expectations around their response. In this case, however, the state of Washington isn't even meeting industry expectations.
https://www.geekwire.com/2021/analys...ingly-callous/
Analysis: Washington state's response to data breach affecting 1.4M people is stunningly callous
by Christopher Budd on February 10, 2021 at 7:00 am
...
This means that data entrusted to the Washington State Employment Security Department was handed in trust to the Washington State Auditor as part of its audit. As part of that process, the data was stolen while in the care of Accellion, a vendor selected by the Washington State Auditor for secure data transmission and presumably used for the audit. Further, if Accellion?s statements are true, it was stolen when attackers breached a ?20-year-old legacy product? that Accellion had encouraged customers to upgrade from but the Washington State Auditor did not do until after the breach, closing the barn door after the horse was out.
And it?s important to note that this is critical, easy-to-exploit information including social security numbers, driver?s license or state identification numbers, bank information, and place of employment. This is information that is easily used for bank fraud, identity theft, or both.
...
This brings me to the final point of critique in this response. This data breach is going to disproportionately affect those most vulnerable and at risk; this is data from people who are unemployed during the COVID-19 outbreak. In light of that, any organization, but most especially a government, has an obligation to exceed expectations around their response. In this case, however, the state of Washington isn't even meeting industry expectations.
Comment