Hacker News new | past | comments | ask | show | jobs | submit login
Personal data of 1.4M Washington unemployment claimants exposed in hack (wa.gov)
37 points by ryanwhitney on Feb 1, 2021 | hide | past | favorite | 19 comments



A close relative is caught up in this because the state had them file for unemployment last year to recoup some furlough days or something. Fortunately(?) they already had their identity stolen in a different big hack. Fun times.

The Employment Security Department has basically been on fire for the past year with the fraud, delayed payments, and then demanding return of some payments. The woman leading the department was a big donor to the campaign of the current governor. However she's finally facing accountability for her departments failure, by being chosen to lead a Federal Sub-Agency, focused on state unemployment benefits[0].

I wish I was joking.

[0] - https://mynorthwest.com/2521710/suzi-levine-unemployment-exp...


Was out of work for awhile some years ago. After days of paper work and many weeks of delays I got 200 to help a family of 5.

A few months later I got a letter asking me to pay it pay it back.

Later I got very badly injured. Like brain damage level. Got laughed At when applying for disability. Apparently if you have a stroke, then a desk job is fine, since you just need to sit there.

There is a narrow range between deathly ill and dead that you can obtain assistance.


I'm very sorry to hear all the troubles you've been facing. I will soon be deciding where I want to move and this sounds like a state I should avoid. Was that in Washington?


Washington is similarly troubled. As I hear it from my friends, it was not this bad years ago in Washington and Florida. These must be resent previously unnoticed incompetencies. (Pardon for the word "incompetencies" may be too harsh.). New Jersey unemployment claims were almost this bad 20 years ago.

I am one of them who is in process proving identity for a few months now.


No. Florida. Good economic freedom. No safety net.

Disability was private company though.


California just as bad.

1.4 million (same number of people) cut off on January 1 because needed to prove their identity.

California agency backing off on this, probably because of intense human cost of that many.

In other places these things aren't treated so lightly.

Netherlands government (Prime Minister and cabinet) recently resigned over a scandal where about 40,000 people in a country of 17 million, so like 800,000 in proportion in USA, were kicked off family benefits and accused of fraud, often for BS like forgetting to sign a document.


Reports are saying the state auditor and not ESD was at fault.


This is accurate, and my comment criticizing the ESD is generally irrelevant to the topic at hand. However, I'm not retracting it, because it's also accurate, and not being at fault for this one doesn't excuse the absolute shambles they've been in for the past year.


> At this time, SAO has determined that data files from the Employment Security Department (ESD) were impacted. These ESD data files contained unemployment compensation claim information including the person’s name, social security number and/or driver’s license or state identification number, bank account number and bank routing number, and place of employment.

It's bad.


> SAO takes cyber security very seriously and appreciates your patience as the investigation continues. Updates to this notice will be posted on this website as SAO learns additional information that may help you with this unfortunate situation.

Read as: "It's too bad this happened to you :shrug-emoji:"


Ouch. Avoiding this sort of thing is supposed to be Accellion's core competency. If it really was a protocol or server flaw, more breach notifications could be coming.

They list some big clients on their website - Kaiser Permanente, KPMG, the NHS, etc.

> Prevent breaches and compliance violations with total visibility and control over IP, PII, PHI and all sensitive content exchanged with third parties

edit: The Reserve Bank of New Zealand and the Australian Securities and Investments Commission were also breached, news articles pin the blame on a SQL injection in Accellion's File Transfer Appliance (FTA)

https://www.databreachtoday.com/australian-financial-regulat...


Here's the relevant quote from a GeekWire article:

"A representative for Accellion told The Times that the breach involved a 20-year-old “legacy product” which the company has been encouraging customers to stop using."

Basically, you can either blame Accellion for not supporting old products enough, or you can blame the State Auditor's office for not upgrading in a timely manner, depending on your POV. I think 20 years old is enough that I'll blame the Auditor's office.


FTA is still a revenue-generating product under support which they claim is secure.

https://www.accellion.com/products/fta/


It is true that it's still under support, however that page you linked is almost 100% about migrating away from FTA to kiteworks which is their new platform. I would be relatively shocked if it's actually revenue generating in 2021, unless they charge for support. At my company at least, anyone calling about a product on that page would be very clearly told we're not selling new contracts for that, would you like to hear about NewShinyThing instead.

That said a SQL Injection vulnerability in a 20 year old product definitely raises certain, questions.


How old is Bobby, you know Little Bobby Tables?

https://xkcd.com/2085/


Yes, if they have a known vulnerability in the wild in a currently-supported product, the rest is just details.

Tangentially, I wonder: has anyone built a friendly browse/search interface for all-time CVE data [0]? This makes me curious about what the history of SQL injection vulnerability discovery looks like.

0: https://cve.mitre.org/data/downloads/index.html


While this is bad news, I hope something like this can make knowing someone's SSN not such a security risk. It blows my mind that in America if someone knows your SSN they could defraud your bank, and the bank can then blame you and make your life hard. If the bank decides to offer a loan or a CC to someone whose only identification is your SSN then it should be fully on the bank to recoup its losses.


FYI, I'm guessing that this is the secure file server used to send data to SAO for audits of ESD and other agencies.


How many large leaks did we have already in 2021 ..




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: