[HN Gopher] Personal data of 1.4M Washington unemployment claima...
___________________________________________________________________
Personal data of 1.4M Washington unemployment claimants exposed in
hack
Author : ryanwhitney
Score : 31 points
Date : 2021-02-01 20:29 UTC (2 hours ago)
(HTM) web link (sao.wa.gov)
(TXT) w3m dump (sao.wa.gov)
| _trampeltier wrote:
| How many large leaks did we have already in 2021 ..
| polka_haunts_us wrote:
| A close relative is caught up in this because the state had them
| file for unemployment last year to recoup some furlough days or
| something. Fortunately(?) they already had their identity stolen
| in a different big hack. Fun times.
|
| The Employment Security Department has basically been on fire for
| the past year with the fraud, delayed payments, and then
| demanding return of some payments. The woman leading the
| department was a big donor to the campaign of the current
| governor. However she's finally facing accountability for her
| departments failure, by being chosen to lead a Federal Sub-
| Agency, focused on state unemployment benefits[0].
|
| I wish I was joking.
|
| [0] - https://mynorthwest.com/2521710/suzi-levine-unemployment-
| exp...
| selimthegrim wrote:
| Reports are saying the state auditor and not ESD was at fault.
| polka_haunts_us wrote:
| This is accurate, and my comment criticizing the ESD is
| generally irrelevant to the topic at hand. However, I'm not
| retracting it, because it's also accurate, and not being at
| fault for this one doesn't excuse the absolute shambles
| they've been in for the past year.
| treeman79 wrote:
| Was out of work for awhile some years ago. After days of paper
| work and many weeks of delays I got 200 to help a family of 5.
|
| A few months later I got a letter asking me to pay it pay it
| back.
|
| Later I got very badly injured. Like brain damage level. Got
| laughed At when applying for disability. Apparently if you have
| a stroke, then a desk job is fine, since you just need to sit
| there.
|
| There is a narrow range between deathly ill and dead that you
| can obtain assistance.
| fitblipper wrote:
| I'm very sorry to hear all the troubles you've been facing. I
| will soon be deciding where I want to move and this sounds
| like a state I should avoid. Was that in Washington?
| oasisbob wrote:
| Ouch. Avoiding this sort of thing is supposed to be Accellion's
| core competency. If it really was a protocol or server flaw, more
| breach notifications could be coming.
|
| They list some big clients on their website - Kaiser Permanente,
| KPMG, the NHS, etc.
|
| > Prevent breaches and compliance violations with total
| visibility and control over IP, PII, PHI and all sensitive
| content exchanged with third parties
|
| edit: The Reserve Bank of New Zealand and the Australian
| Securities and Investments Commission were also breached, news
| articles pin the blame on a SQL injection in Accellion's File
| Transfer Appliance (FTA)
|
| https://www.databreachtoday.com/australian-financial-regulat...
| polka_haunts_us wrote:
| Here's the relevant quote from a GeekWire article:
|
| "A representative for Accellion told The Times that the breach
| involved a 20-year-old "legacy product" which the company has
| been encouraging customers to stop using."
|
| Basically, you can either blame Accellion for not supporting
| old products enough, or you can blame the State Auditor's
| office for not upgrading in a timely manner, depending on your
| POV. I think 20 years old is enough that I'll blame the
| Auditor's office.
| oasisbob wrote:
| FTA is still a revenue-generating product under support which
| they claim is secure.
|
| https://www.accellion.com/products/fta/
| polka_haunts_us wrote:
| It is true that it's still under support, however that page
| you linked is almost 100% about migrating away from FTA to
| kiteworks which is their new platform. I would be
| relatively shocked if it's actually revenue generating in
| 2021, unless they charge for support. At my company at
| least, anyone calling about a product on that page would be
| very clearly told we're not selling new contracts for that,
| would you like to hear about NewShinyThing instead.
|
| That said a SQL Injection vulnerability in a 20 year old
| product definitely raises certain, questions.
| braindongle wrote:
| Yes, if they have a known vulnerability in the wild in a
| currently-supported product, the rest is just details.
|
| Tangentially, I wonder: has anyone built a friendly
| browse/search interface for all-time CVE data [0]? This
| makes me curious about what the history of SQL injection
| vulnerability discovery looks like.
|
| 0: https://cve.mitre.org/data/downloads/index.html
| cdubzzz wrote:
| > SAO takes cyber security very seriously and appreciates your
| patience as the investigation continues. Updates to this notice
| will be posted on this website as SAO learns additional
| information that may help you with this unfortunate situation.
|
| Read as: "It's too bad this happened to you :shrug-emoji:"
| ryanwhitney wrote:
| > At this time, SAO has determined that data files from the
| Employment Security Department (ESD) were impacted. These ESD
| data files contained unemployment compensation claim information
| including the person's name, social security number and/or
| driver's license or state identification number, bank account
| number and bank routing number, and place of employment.
|
| It's bad.
| GartzenDeHaes wrote:
| FYI, I'm guessing that this is the secure file server used to
| send data to SAO for audits of ESD and other agencies.
___________________________________________________________________
(page generated 2021-02-01 23:02 UTC)