Not our fault. And good luck, you’re on your own.
These are essentially two main messages from Washington state government to its citizens and those affected by the recent Washington State Auditor data breach.
As someone who has managed data breaches and security response situations for years, I’m genuinely floored by the tone and (lack of) actions in the state’s response so far.
Compared to other major data breaches, the state is staking out one of the strongest disavowal of responsibility we’ve seen. And its response to the citizens whose data it was entrusted to protect is stunningly callous in its inadequacy.
What we know about the breach
The breach involves the personal information of at least 1.47 million Washington state residents, including names, social security numbers and/or driver’s license or state identification numbers, bank information, and place of employment.
It appears that the data originally belonged to the Washington State Employment Security Department (ESD). However, the data in question was under the custodianship of the Washington State Auditor as part of its investigation into $600 million in losses from fraudulent unemployment claims. Further confusing the story, the Washington State Auditor claims the data was stolen from Accellion, a Palo Alto, Calif.-based company whose homepage advertises services to “Prevent Breaches and Compliance Violations from Risky 3rd Party Communications.”
A representative for Accellion told the Seattle Times that the breach involved a 20-year-old “legacy product” which the company has been encouraging customers to stop using. Accellion had reportedly been encouraging users to upgrade to a newer product, which the auditor’s office did after the data breach, according to Accellion Chief Marketing Officer Joel York.
This means that data entrusted to the Washington State Employment Security Department was handed in trust to the Washington State Auditor as part of its audit. As part of that process, the data was stolen while in the care of Accellion, a vendor selected by the Washington State Auditor for secure data transmission and presumably used for the audit. Further, if Accellion’s statements are true, it was stolen when attackers breached a “20-year-old legacy product” that Accellion had encouraged customers to upgrade from but the Washington State Auditor did not do until after the breach, closing the barn door after the horse was out.
And it’s important to note that this is critical, easy-to-exploit information including social security numbers, driver’s license or state identification numbers, bank information, and place of employment. This is information that is easily used for bank fraud, identity theft, or both.
The response
Another important set of facts revolves around the response from these three data custodians in response to protect those affected.
First, there is no information about this data breach available from Accellion’s site. In fact, the site doesn’t even mention it.
The same is true for the Washington State Employment Security Department. There is no information there at all.
The Washington State Auditor’s website, to its credit, prominently advertises the breach and a link to a special page set up about it. However, guidance for what to do if you’re affected requires you to follow a truly byzantine series of multiple links. And ultimately, the guidance amounts to generic steps you need to take yourself to monitor for malicious activity.
After successfully navigating three separate web pages on three separate agency sites, you’ll find three guides that are generic and don’t speak to this situation specifically at all.
Most importantly, there is no indication that any of the parties are taking any action themselves to implement credit and/or identity theft monitoring on behalf of the victims of this breach.
Who is responsible for the breach?
First, looking at the disavowal of responsibility, the state has essentially pointed the finger at a vendor and claimed the situation was their fault. This isn’t the first (nor will be the last) time an organization was compromised through a third-party vendor. Most notably, the Target data breach of 2013, one of the largest to date at the time, was a result of a successful compromise of a third-party organization.
However, in this incident, the state has abrogated its custodial responsibility for its (i.e. your) data by pointing the finger entirely and exclusively at the vendor and taking no responsibility. It’s also notable that the vendor has defended itself by saying there was a more secure option available but the state decided against paying for it, further highlighting the state’s responsibility in the matter.
Yes, Accellion held the data and suffered the breach and is responsible for that. But from a privacy perspective, the data originally belonged to the state of Washington — and so ultimate responsibility for what happened to it is theirs.
Going back to the Target data breach, Target was ultimately held responsible for their data breach by the courts. The same is true of public opinion: few, if any, can name the third party processor involved in that breach (it was Fazio Mechanical). It is known as the “Target Data Breach.”
In the privacy world, we talk about “custodians of data” much like banks are custodians of money. The organization you give your data or money to is the one responsible for it; anything that happens because of their decisions is their fault and their problem, not yours.
Put simply, the state of Washington’s response so far has been “Not our fault.”
Analyzing the response
In the world of security and privacy incident response, we say that you measure two things:
- The severity of the incident
- The quality of the response to the incident
Sometimes very severe incidents can have outstanding responses, making them much less bad overall. Conversely, sometimes minor incidents can have terrible responses, making them much worse.
And then there is this case: a very severe incident with a terrible response.
Let’s be clear: by not implementing basic credit and/or identity theft to those affected, the state of Washington’s response is below the current de facto standard in the industry. Target offered free monitoring for their victims for a year in 2014. This has become a standard minimal response in data breaches, especially in light of seven intervening years of additional data breaches.
By leaving any remediation and protection in the hands of the victims with no assistance whatsoever, the state is saying “Good luck, you’re on your own.”
Further, while the state deserves credit for putting information on the breach prominently on the Auditor’s website, that is the bare minimum of communications for an incident like this. The fact that users are required to jump through three separate sites only to get generic information significantly detracts from the meaningfulness of that response.
Having run communications for incidents like this myself, best practices for an incident like this would be to have one prominent web page that’s easily available with a simple URL. That page would have links to all of relevant information, and clear and prominent guidance on what to do. It would also have related web pages linking to it from all potentially relevant sites.
Continuing the example, the State Auditor’s Office and the State Employment Office would point to that single page, and maybe even Accellion’s site as well (a reasonable request from an impacted customer). Another thing a mature response would look at is localization, since the victims certainly include those for whom English is not their first language.
Additionally, there is no indication that offline communication is happening, such as notices through the mail or radio and television advertising. For an event this serious, those should be communications tactics looked at to ensure awareness by people affected. All the more so since the specifics of this data breach mean that poorer, less-connected and less-sophisticated users are at the highest risk. You tailor not just your messages to your audience, but your methods of communication as well.
This brings me to the final point of critique in this response. This data breach is going to disproportionately affect those most vulnerable and at risk; this is data from people who are unemployed during the COVID-19 outbreak. In light of that, any organization — but most especially a government — has an obligation to exceed expectations around their response. In this case, however, the state of Washington isn’t even meeting industry expectations.
There is time to make it right
The reality of today is that data breaches happen. They can be prevented or mitigated with good security practices such as using up-to-date technology. The state of Washington appears to have passed on that by using a legacy system against the vendor’s recommendations.
Data breach incidents can be mitigated with the data custodians clearly taking responsibility for the event, proactively moving to offer measures to protect those affected, and providing clear, simple, direct, actionable communication to those affected that will reach them. Here again, the state of Washington has failed to do any of these.
Add to this the fact that this data affects those most vulnerable and impacted by the COVID-19 pandemic and you get a response that is effectively callous.
There is time to make it right. The breach already spurred lawmakers to draft a bill that would give the state’s Office of Cybersecurity more authority for how agencies store data.
If Gov. Jay Inslee steps in now, has the state take responsibility and give people the clear direction and assistance they need, the state can turn this around.
If it doesn’t, this has the potential to go down in the history books as one of the worst data breaches with the worst response we’ve seen in this country.
