State lawmakers at a hearing on Thursday charged State Assistant Attorney General Pat McCarthy with questioning the auditor’s actions in connection with a major data breach that affected 1.3 million Washington residents.
Questions and criticism were raised as to whether McCarthy’s office should have earlier detected a third-party file hosting vendor breach, whether the auditor should have accumulated so much personal information, including social security, and bank account numbers that now to be in the hands of cybercriminals.
State Senator Karen Kaiser, who chaired the virtual hearings before the Senate Labor, Commerce and Family Affairs Committee, said he welcomed the auditor’s inquiries into the State Department of Occupational Safety and Health (ESD).
“But last year it seemed to me that there was a real claim by so many Washingtonians to so much personal information,” said Kaiser, D-Des Moines. “It’s just so much information to use … have we outperformed in that effort?”
The director of administrative services for the auditor, El An Roper, advocated for the collection of data as needed to assess ESD’s questionable unemployment claims. The agency is conducting several audits of how the ESD lost hundreds of millions of dollars due to unemployment fraud and delayed the payment of legal claims.
“To conduct this test, our auditors were required to obtain all the requirements files,” he said.
The other legislators were not satisfied with that explanation.
State Sen. Reuven Carlisle, D-Seattle, called the auditor’s request for ESD “extremely broad,” including all those who filed for unemployment in 2020.
“Could you take a sample?” Five, ten, twenty thousand people. ” He said.
The data breach hit the digital file transfer service offered by Accellion, a California-based technology company that discloses data from dozens of other government companies in addition to the audit firm.
Lawmakers on Thursday questioned why the late December breach, which McCarthy’s office said it knew about January 12, was not made public until February 1.
“It just doesn’t make sense to me,” Kaiser said.
Roper said the audit firm contacted Accellion “immediately” to find out about the breach, but did not know what cases had been uncovered until a week or so later.
He defended the auditor’s disclosure schedule, saying it was faster than private companies, including the Kroger grocery chain, which waited four weeks to find out that it had been breached by Accellion.
Kaiser cut Roper. “I do not really care about the other one [Accellion] customers, ”he said.
Last week, the audit office began sending e-notifications to 1.3 million people whose data were leaked as a result of the breach. These notices also include one year of free credit monitoring.
The agency has set up a call center to answer questions about violations. Roper said the center has received only a few hundred calls so far.
Some lawmakers predicted that public alarm would increase as more people became aware that their personal data was being compromised.
“It may be because we have not notified so many people that they are afraid of the light of day,” said Sen. Curtis King, R-Yakima. “It seems like it took us a long time to notice those people who could pay off their bank accounts.”
For more information on the state response to the violation, visit www.sao.wa.gov/breach2021/