The Washington State Auditor Office disclosed suffering a data breach that exposed the personal information in 1.4 million employment claims.
According to data breach disclosures, the records became exposed during a December breach of Accellion, a software provider used by the State Auditor Office for the transfer of large computer files. The Washing State Auditor Office only became aware of the breach’s effect on their files on January 25.
The data contained in the stolen and exposed files include names, social security numbers, driver’s license or state identification numbers, bank account numbers, routing numbers, and more.
Additionally, the breach exposed files from Washington local governments and other state agencies.
To understand more about the lessons businesses could learn from this breach, we contacted several cybersecurity experts. Here’s what they had to say.
Expert Commentary of the Washington State Auditor Office Breach
Andy Oehler is VP of Product Management at Zentry Security.
“First, it’s critical to maintain an up-to-date environment. Also, just because data is in your own data center does not mean that its security is guaranteed. Maintaining on-prem software requires time and investment, so it’s no surprise that organizations that are understaffed may have older software deployed. In both cases, it’s important to consider the perimeter around these apps. A zero-trust access approach to securing these apps assumes that a threat can come from anywhere. Therefore, it scrutinizes every request to download data to protect its valuable assets and intellectual property.”
Christian Espinosa is Managing Director at Cerberus Sentinel.
“Cybercriminals typically break in by exploiting vulnerabilities or taking advantage of misconfigurations. In this instance, a vulnerability existed that was overlooked. We all want to trust that our cybersecurity teams are doing the best they can to keep attackers out. I believe in what Reagan once said ‘trust, but verify.’ It’s much better, and less costly, to have a trusted ally validate your security than wait until it’s validated or invalidated by an attacker.”
Purandar Das is CEO and Co-Founder of Sotero Software.
“Data sharing, by organizations, is one of the key areas of vulnerability. This activity is an area that will be targeted more and more by hackers. Organizations have relied on “secure data transfer”, meaning the data is protected in transmission, as being sufficient. This is no longer true. Even if the data is secure during transmission the underlying data is in cleartext. True and complete data protection has to be built from the ground up. Regardless that the data is being transmitted over a secure channel, data security must start at the source. Meaning the data should be protected (encrypted) all the time, even in use. This is a huge part of protecting data and information.
Credit card companies discovered this a long time ago. Hence the reason why credit card information is never transmitted to the retailer. The card companies encrypt it and don’t transmit or share the information. Unfortunately, the same mechanism does not work for everyone. The transmitted data needs to be available for use and analysis. Adopting newer technologies that enable the use of encrypted data by the proper parties coupled with multi-party key ownership for authentication is one way to eliminate data loss during transmission.”
Niamh Muldoon is Global Data Protection Officer at OneLogin.
“This is a great example of the need for organizations to build a comprehensive Trust and Security program focusing on people, processes, and technology controls to protect data processed and stored, whether it’s within their own organization or with a third party. This breach empathizes the importance of ‘Security First’ culture within organizations that must stay on top of the latest threats. Security must be seen as a business enabler. The State of Washington appears to be taking the right steps in presenting an incident response process and alerting affected citizens.”
Trevor Morgan is Product Manager at comforte AG.
“The very disappointing news that the highly sensitive personal data of 1.6 million unemployed filers in Washington State was exposed underscores just how important data-centric security is. Unlike perimeter security methods, which strengthen the boundaries around data, data-centric security such as tokenization protects the data itself, obfuscating it so that it becomes for all intents and purposes unintelligible. This means that if it falls into the wrong hands, threat actors cannot use it or leverage it for their personal gain—the meaning behind the data remains hidden. Had the caretakers of this data implemented data-centric security, then the privacy of over 1.6 million Washington State citizens would have been maintained and protected.”
Thanks to these cybersecurity experts for their time and expertise! For more information, check out our SIEM Buyer’s Guide.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021