State lawmakers at a hearing on Thursday charged State Assistant Attorney Pat McCarthy with questioning the auditor’s actions in connection with a massive breach of data on 1.3 million Washington residents.
Questions and criticism were raised as to whether McCarthy’s office should have earlier detected a third-party file hosting vendor breach, whether the auditor should have accumulated so much personal information, including social security, and bank account numbers that now to be in the hands of cybercriminals.
State Sen. Karen Kaiser, who chaired the virtual hearings before the Senate Labor and Commerce Committee, said he welcomed the auditor’s inquiries into the State Department of Public Employment (ESD).
“But last year it seemed to me that there was a real claim by so many Washingtonians to so much personal information,” said Kaiser, D-Des Moines. “It’s just so much information to use … have we outperformed in that effort?”
The director of administrative services for the auditor, El An Roper, advocated for data collection, if necessary, to assess how the ESD was reporting suspicious unemployment claims. The agency is conducting several audits of how the ESD lost hundreds of millions of dollars due to unemployment fraud and delayed the payment of legal claims.
“To conduct this test, our auditors were required to obtain all the requirements files,” he said.
The other legislators were not satisfied with that explanation.
State Sen. Reuven Carlisle, D-Seattle, called the auditor’s request for ESD “extremely broad,” including all those who filed for unemployment in 2020.
“Could you take a sample?” Five, ten, twenty thousand people. ” He pointed to cybersecurity experts advising governments and corporations to work to minimize the collection of sensitive data.
The data breach has hit Accellion, a digital file transfer service offered by the California tech company, in addition to the auditor’s office, reveals data from dozens of other government companies.
Lawmakers on Thursday questioned why the late December breach, which McCarthy’s office said it knew about January 12, was not made public until February 1.
“It just doesn’t make sense to me,” Kaiser said.
Roper said the audit firm contacted Accellion “immediately” to find out about the breach but did not know what cases had been uncovered until a week or so later.
He defended the auditor’s disclosure schedule, saying it was faster than private companies, including the Kroger grocery chain, which waited four weeks to find out that it had been breached by Accellion.
Kaiser cut Roper. “I do not really care about the other one [Accellion] customers, ”he said.
Last week, the audit office began sending e-notifications to 1.3 million people whose data were leaked as a result of the breach. These notices also include one year of free credit monitoring.
The agency has set up a call center to answer questions about violations. Roper said the center has received only a few hundred calls so far.
Some lawmakers predicted that public alarm would rise as more people became aware that their personal information was being compromised.
“It may be because we have not notified so many people that they are afraid of the light of day,” said Sen. Curtis King, R-Yakima. “It seems like it took us a long time to notice those people who could pay off their bank accounts.”
For more information on the violation և state response, visit www.sao.wa.gov/breach2021/