skip to main content

About the Accellion data security breach

This page is also available in these languages:

ኣማርኛ – Amharic |  العربية – Arabic | Khmer (ភាសាខ្មែរ) – Cambodian | 简体中文 – simplified Chinese | (fārsī) فارسى – Farsi (Persian) | 한국어 [韓國語] – Korean | ພາສາລາວ (pháasaa láo) – Lao |  Afaan Oromo – Oromoਪੰਜਾਬੀ / ﺏﺎﺠﻨﭘ (panjābi) – PunjabiРусский – Russian | af Soomaali – Somali | Español – Spanish  | Tagalog – Tagalog | Tiếng Việt – Vietnamese

Letter from Auditor McCarthy (updated 5/21/21)

Washington State Auditor Pat McCarthy

The Office of the Washington State Auditor (“SAO”) has updated this webpage to provide an update about the actions taken by SAO to respond to the data security incident experienced by Accellion, a third-party file transfer service for large data files used by SAO for auditing purposes.

Since we first learned about this incident, SAO has had two objectives: (1) identify, notify and offer resources to help the individuals whose personal information was potentially affected; and (2) enhance the ways we transfer and protect personal information.

In March, we completed the process of sending e-mail notifications to people whose information was in the data files related to unemployment benefit payments between 2017 and 2020. If you think you may be affected, but did not receive or no longer have the e-mail, this webpage contains the same information, including how to sign up for one year of free credit monitoring and identity theft restoration services. If you have more questions, call our dedicated Call Center at 1-855-789-0673, Monday – Friday from 8:00 a.m. – 5:00 p.m. Pacific Time.

As part of our ongoing investigation, we recently completed the forensic review of other data files that were on the Accellion platform when the incident occurred. This review provided the information needed to identify other people whose personal information was potentially affected. SAO is working with the state and local organizations whose data was involved to obtain or confirm individuals’ contact information and to notify them. People whose Social Security Numbers were in these affected data files will receive an offer of free, twelve-month credit monitoring and identity restoration services.

SAO takes data security seriously and is committed to protecting the privacy of personal information entrusted to us. We deeply regret any concern or inconvenience this matter may cause. If you have any questions, please don’t hesitate to call our dedicated call center at 1-855-789-0673, Monday – Friday from 8:00 a.m. – 5:00 p.m. Pacific Time. Additionally, we will keep this webpage, sao.wa.gov/breach2021, updated.

Sincerely,

Pat McCarthy

Washington State Auditor

Frequently asked questions about the Accellion security incident

What Happened? In mid-January 2021, SAO was alerted to a potential security incident involving the Accellion file transfer service. SAO immediately contacted Accellion for specific details. Over the next few weeks, SAO learned that an unauthorized person gained access to data stored in SAO’s file transfer account with Accellion. SAO immediately launched an investigation to determine the scope of the incident and how it may have impacted information sent to SAO for audit purposes, and worked with Accellion to identify which files may have been impacted by the incident. SAO also engaged cybersecurity experts to assist with its investigation.

What Information Was Involved? Notifications have been sent by e-mail to people whose information was in data files relating to unemployment benefits paid by the Employment Security Department in the 2017 to 2020 time period. These files may have contained the person’s name, Social Security Number, date of birth, street and email addresses, and/or bank account number and bank routing number.

SAO is also sending individual notifications to the people whose information was identified by the forensic review in other data files of state agencies and local governments that were potentially affected by the Accellion incident. These files contained one or more – but not all – of the following: people’s names, Social Security Numbers, student identification numbers, dates of birth, credit or bank account numbers, health insurance numbers, and/or and health-related information.

Were Washingtonians targeted? The incident affected Accellion customers worldwide and is currently under investigation by law enforcement. There is absolutely no evidence to date that that the State of Washington or any of its residents were the target of this incident. This incident affected multiple federal and state, local, tribal, and territorial government organizations as well as private industry organizations and businesses including those in the medical, legal, telecommunications, finance, higher education, retail, and energy sectors.

Was SAO using an old or outdated product? At the time of the breach, Accellion was supporting and servicing the file transfer platform that SAO and many other organizations were using. In late summer 2020, SAO began the process of migrating to Accellion’s newer platform, Kiteworks; this process was completed Dec. 31, 2020.

How to obtain free credit monitoring and other services if your Social Security Number was involved (updated 5/21/21)

SAO is making 12 months of free credit monitoring and identity restoration services through Experian available to people whose Social Security numbers may have been exposed in the Accellion incident. Due to privacy laws, we are not able to enroll you directly.

If you received a notification with an Activation Code and specific instructions for signing up for credit monitoring with Experian, please follow the instructions in that notification. If you are unsure whether your social security number was involved in the Accellion incident, or if you can’t locate the communication SAO sent you, please call our dedicated call center at 1-855-789-0673, Monday – Friday from 8:00 a.m. – 5:00 p.m. Pacific Time and a representative can assist you in determining whether you are eligible for free credit monitoring.

The program has two components:

Credit Monitoring. A free 12-month membership to Experian IdentityWorks Credit 3B. This product helps detect possible misuse of your personal information by monitoring all three major credit agencies and provides you with identity protection services focused on immediately identifying and resolving identity theft. IdentityWorks Credit 3B is completely free to you and enrolling in this program will not hurt your credit score.

Identity Restoration. If you suspect fraudulent use of your information or identity theft, and would like to discuss how to resolve those issues, you may reach out to an Experian agent using the contact information for Experian below. This service is available to you for one year and does not require you to enroll or take any other action at this time. If, after discussing your situation with an agent, it is determined that identity restoration support is needed, an Experian Identity Restoration agent will be available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting creditors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).

If you receive a communication from SAO with a Personalized Activation Code: You can sign up for the 12 months of free credit monitoring/identity restoration program through Experian using your personal Enrollment Activation Code provided in the email you received from “Washington State Auditor Incident Response”. For more information visit www.experianidworks.com/3bcredit.

With your personalized Activation Code, you can also call Experian directly to enroll in the program using this toll-free number: 1-833-256-3154. Representatives are available to assist you and answer questions about the program Monday through Friday from 6:00a.m.-8:00p.m. PST and Saturday/Sunday 8:00a.m.-5:00p.m. PST.

If you received unemployment benefits between 2017 and 2020, but did not receive an email with a Personalized Activation Code by March 15, 2021, the enrollment period is open until June 6, 2021. You can still enroll in Experian’s credit monitoring by following these instructions:

  1. Visit www.experianidworks.com/3bcredit or call Experian directly to enroll in the program using the toll-free number: 1-833-256-3154,
  2. You will need to provide the code: WSHAUD2021.
  3. You will need to provide the engagement number: B009702
  4. Enrollment will be open until 6/6/2021.

Additional Details Regarding Your 12-MONTH EXPERIAN IDENTITYWORKS Credit 3B Membership:

A credit card is not required for enrollment in Experian IdentityWorks Credit 3B.

You can contact Experian immediately—without needing to enroll—regarding any fraud issues. Identity Restoration specialists are available to help you with credit and non-credit related fraud.

Once you enroll in Experian IdentityWorks, you will have access to the following additional features:

  • Experian credit report at sign-up: See what information is associated with your credit file. Daily credit reports are available for online members only.*
  • Credit Monitoring: Actively monitors Experian, Equifax and TransUnion files for indicators of fraud.
  • Experian IdentityWorks ExtendCARETM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
  • $1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers.

* Offline members will be eligible to call for additional quarterly reports after enrolling.

** The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Best practices to protect against identity theft

Review Your Account Statements and Notify Law Enforcement of Suspicious Activity: As a precautionary measure, we recommend that you remain vigilant and review your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission (“FTC”).

Copy of Credit Report: You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting www.annualcreditreport.com/, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can also contact one of the following three national credit reporting agencies:

Equifax

P.O. Box 105851

Atlanta, GA 30348

1-800-525-6285

www.equifax.com

Experian

P.O. Box 9532

Allen, TX 75013

1-888-397-3742

www.experian.com

TransUnion

P.O. Box 1000

Chester, PA 19016

1-877-322-8228

www.transunion.com

Fraud Alert: You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for one year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at www.annualcreditreport.com.

Security Freeze: In the State of Washington and some other states, you have the right to place a security freeze on your credit file. This will prevent new credit from being opened in your name without the use of a PIN that is issued to you when you initiate the freeze. A security freeze is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to obtain credit. You must separately place a security freeze on your credit file with each credit reporting agency. There is no fee to place, lift or remove the security freeze. In order to place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you, including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement.

Additional Free Resources: You can obtain information from the consumer reporting agencies, the Federal Trade Commission or from your state Attorney General about steps you can take toward preventing identity theft. You may report suspected identity theft to local law enforcement, including to the FTC or to the state Attorney General. Here is the contact information for the FTC:

Federal Trade Commission, 600 Pennsylvania Ave, NW, Washington, DC 20580 www.consumer.ftc.gov, and www.ftc.gov/idtheft

1-877-438-4338

You also have certain rights under the Fair Credit Reporting Act (FCRA): These rights include knowing what is in your file; disputing incomplete or inaccurate information; and requiring consumer reporting agencies to correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf.

Timeline of the incident

Jan. 12: SAO received a general alert from Accellion directed to the users of its Kiteworks platform regarding a potential security incident with the Accellion file transfer appliance that SAO was no longer using.

Jan. 13: SAO notified WaTech and engaged in extensive communications with Accellion to find out which files in transit to or from SAO may have been affected.

The week of Jan. 25: SAO determined that some of the data in the affected SAO files identified by Accellion contained personal information of people who received unemployment benefits from the Employment Security Department (“ESD”).

Feb. 1: SAO announced the incident to the public. SAO followed the substitute notice procedures set forth under the law and a preliminary notice regarding this incident was posted on the SAO website, at sao.wa.gov/breach2021, which we have kept updated.

Feb. 12: SAO notified the Attorney General. That notice was supplemented on Feb. 26.

Feb. 25: SAO set up a call center where people can ask questions and get information about obtaining help related to the incident, and began sending emails to people whose information was in the unemployment benefits data file.