A data breach at the State Auditor’s Office has compounded the mess that has been Washington’s unemployment insurance system throughout the coronavirus pandemic.
It likely will take months to decipher the breadth and the impact of the breach, but residents should take cautionary measures and lawmakers should demand accountability.
The breach occurred as the office of Auditor Pat McCarthy investigated the state’s Employment Security Department, after the department paid out $600 million in fraudulent claims during the early days of the pandemic. Employment officials say they have recovered $357 million of those payments.
The auditor’s office demanded claims information from ESD, and in December a vulnerability in a computer file-transfer service allowed unknown people to access the data.
The Social Security numbers, driver’s license numbers, bank account numbers and employment information of 1.4 million Washington residents were exposed in the breach. The information is basically everything a thief needs to steal an identity, and the list includes even those who did not file for unemployment but had fraudulent claims filed under their names.
“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic,” McCarthy said. “I am sorry to share this news and add to their burdens.”
As state officials sort out the mess, the first concern is how residents can protect themselves. For now, officials recommend:
• Obtaining a free credit report at annualcreditreport.com;
• Considering placing a fraud alert on your credit report;
• Reviewing financial account statements and reporting any suspicious activity to your bank or credit union;
• And reporting suspected identity theft to the state Attorney General’s Office, law enforcement and/or the Federal Trade Commission’s IdentityTheft.gov.
That is little consolation for those who might have their identities stolen because of the breach. And lawmakers must get involved to investigate the incident and employ preventive measures in the future.
Legislators from both parties have questioned why the auditor’s office needed personal details as part of its investigation. As state Rep. Matt Boehnke, R-Kennewick, wondered: “Why do we still continue to have full Social Security numbers in locations around state agencies when we can identify by other means?”
McCarthy also must face difficult questions. She was elected to a second term in November, and as a statewide elected official she operates independently of the governor’s office. She will be up for reelection in 2024.
McCarthy has defended her office’s actions, blaming the breach on software from California tech firm Accellion, and a spokesperson said the data was necessary to fully assess why the employment department paid fraudulent claims.
While the details will take some time to sort out, state officials must do all they can to restore public confidence. They should offer free credit monitoring — as Equifax did following a massive 2017 data breach — and additional protections. The auditor’s website says the office “will make resources available to help each affected individual take measures to protect their identity,” but no specifics have been provided.
The impact of the breach and the threat to Washington residents is not yet clear, but it is one more thing to worry about at a most inopportune time.