skip to main content

About the Accellion data security breach

This page is also available in these languages:

ኣማርኛ – Amharic |  العربية – Arabic | Khmer (ភាសាខ្មែរ) – Cambodian | 简体中文 – simplified Chinese | (fārsī) فارسى – Farsi (Persian) | 한국어 [韓國語] – Korean | ພາສາລາວ (pháasaa láo) – Lao |  Afaan Oromo – Oromoਪੰਜਾਬੀ / ﺏﺎﺠﻨﭘ (panjābi) – PunjabiРусский – Russian | af Soomaali – Somali | Español – Spanish  | Tagalog – Tagalog | Tiếng Việt – Vietnamese

Letter from Auditor McCarthy

Washington State Auditor Pat McCarthy

The Office of the Washington State Auditor (“SAO”) was recently made aware of a data security incident involving Accellion, a third-party provider of hosted file transfer services.

We are in the process of sending emails to people who received unemployment benefits from the State of Washington between 2017 and 2020 that their information was involved in the security incident and offering resources to help them.

Our investigation into this incident is ongoing and we are continuing to analyze the affected data files to identify and notify other people whose personal information was potentially affected.

We take data security seriously and are committed to protecting the privacy of personal information entrusted to us. We deeply regret any concern or inconvenience this matter may cause. If you have any questions, please don’t hesitate to call our dedicated call center at 1-855-789-0673, Monday – Friday from 8:00 a.m. – 5:00 p.m. Pacific Time. Additionally, we will keep this webpage, sao.wa.gov/breach2021, updated.

Sincerely,

Pat McCarthy

Washington State Auditor

How to obtain free credit monitoring and identity theft protection services (updated: 3/4/21)

SAO is making 12 months of free credit monitoring and identity restoration services through Experian available to people whose Social Security numbers may have been exposed in the Accellion incident. Due to privacy laws, we are not able to enroll you directly.

The program has two components:

Credit Monitoring. A free 12-month membership to Experian IdentityWorks Credit 3B. This product helps detect possible misuse of your personal information by monitoring all three major credit agencies and provides you with identity protection services focused on immediately identifying and resolving identity theft. IdentityWorks Credit 3B is completely free to you and enrolling in this program will not hurt your credit score.

Identity Restoration. If you suspect fraudulent use of your information or identity theft, and would like to discuss how to resolve those issues, you may reach out to an Experian agent using the contact information for Experian below. This service is available to you for one year and does not require you to enroll or take any other action at this time. If, after discussing your situation with an agent, it is determined that identity restoration support is needed, an Experian Identity Restoration agent will be available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting creditors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).

If you Receive an Email from SAO with a Personalized Activation Code:  You can sign up for the 12 months of free credit monitoring/identity restoration program through Experian using your personal Enrollment Activation Code provided in the email you received from “Washington State Auditor Incident Response”.  For more information visit www.experianidworks.com/3bcredit.

With your personalized Activation Code, you can also call Experian directly to enroll in the program using this toll-free number: 1-833-256-3154. Representatives are available to assist you and answer questions about the program Monday through Friday from 6:00a.m.-8:00p.m. PST and Saturday/Sunday 8:00a.m.-5:00p.m. PST.

If You Did Not Receive an Email with a Personalized Activation Code by March 15, 2021, you can enroll in Experian’s credit monitoring by following these instructions:

  1. Visit www.experianidworks.com/3bcredit or call Experian directly to enroll in the program using the toll-free number:  1-833-256-3154,
  2. You will need to provide the code: WSHAUD2021.
  3. You will need to provide the engagement number:  B009702
  4. Enrollment will be open until 6/6/2021.

Additional Details Regarding Your 12-MONTH EXPERIAN IDENTITYWORKS Credit 3B Membership:

A credit card is not required for enrollment in Experian IdentityWorks Credit 3B.

You can contact Experian immediately—without needing to enroll—regarding any fraud issues. Identity Restoration specialists are available to help you with credit and non-credit related fraud.

Once you enroll in Experian IdentityWorks, you will have access to the following additional features:

Experian credit report at sign-up: See what information is associated with your credit file. Daily credit reports are available for online members only.*

Credit Monitoring: Actively monitors Experian, Equifax and TransUnion files for indicators of fraud.

Experian IdentityWorks ExtendCARETM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired.

$1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers.

* Offline members will be eligible to call for additional quarterly reports after enrolling.

** The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Best practices to protect against identity theft

Review Your Account Statements and Notify Law Enforcement of Suspicious Activity: As a precautionary measure, we recommend that you remain vigilant and review your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission (“FTC”).

Copy of Credit Report: You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting www.annualcreditreport.com/, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can also contact one of the following three national credit reporting agencies:

Equifax

P.O. Box 105851

Atlanta, GA 30348

1-800-525-6285

www.equifax.com

Experian

P.O. Box 9532

Allen, TX 75013

1-888-397-3742

www.experian.com

TransUnion

P.O. Box 1000

Chester, PA 19016

1-877-322-8228

www.transunion.com

Fraud Alert: You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for one year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at www.annualcreditreport.com.

Security Freeze: In the State of Washington and some other states, you have the right to place a security freeze on your credit file. This will prevent new credit from being opened in your name without the use of a PIN that is issued to you when you initiate the freeze. A security freeze is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to obtain credit. You must separately place a security freeze on your credit file with each credit reporting agency. There is no fee to place, lift or remove the security freeze. In order to place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you, including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement.

Additional Free Resources: You can obtain information from the consumer reporting agencies, the Federal Trade Commission or from your state Attorney General about steps you can take toward preventing identity theft. You may report suspected identity theft to local law enforcement, including to the FTC or to the state Attorney General. Here is the contact information for the FTC:

Federal Trade Commission, 600 Pennsylvania Ave, NW, Washington, DC 20580 www.consumer.ftc.gov, and www.ftc.gov/idtheft

1-877-438-4338

You also have certain rights under the Fair Credit Reporting Act (FCRA): These rights include knowing what is in your file; disputing incomplete or inaccurate information; and requiring consumer reporting agencies to correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf.

Frequently asked questions

What Happened? In mid-January of 2021, SAO was alerted to a potential security incident involving the Accellion file transfer service. SAO immediately contacted Accellion for specific details. Over the next few weeks, SAO learned that an unauthorized person gained access to data stored in SAO’s file transfer account with Accellion. SAO began working with Accellion to identify which files may have been impacted by the incident. The incident is under active investigation by Accellion, SAO, and law enforcement.

What Information Was Involved? Some of the data files identified by Accellion contained personal information of individuals, among others, who received unemployment benefits from the Employment Security Department (“ESD”) in the 2017 to 2020 time period. These files may have contained the person’s name, Social Security number, date of birth, street and email addresses, bank account number and bank routing number. The Accellion service was not managed by ESD and ESD bears no responsibility for this data breach and is not in a position to respond to calls or questions about this matter.

Were Washingtonians targeted? There is absolutely no evidence to date that that the State of Washington or any of its residents were the target of this incident. This incident affected multiple federal and state, local, tribal, and territorial government organizations as well as private industry organizations businesses including those in the medical, legal, telecommunications, finance, higher education, retail, and energy sectors.

Was SAO using an old or outdated product? At the time of the breach, Accellion was supporting and servicing the file transfer platform that SAO and many other organizations were using. In late summer 2020, SAO began the process of migrating to Accellion’s newer platform, Kiteworks, a process that was completed Dec. 31, 2020.

Timeline of the incident

Jan. 12: SAO received a general alert from Accellion directed to the users of its Kiteworks platform regarding a potential security incident with the Accellion file transfer appliance that SAO was no longer using.

Jan. 13: SAO notified WaTech and engaged in extensive communications with Accellion to find out which files in transit to or from SAO may have been affected.

The week of Jan. 25: SAO determined that some of the data in the affected SAO files identified by Accellion contained personal information of people who received unemployment benefits from the Employment Security Department (“ESD”).

Feb. 1: SAO announced the incident to the public. SAO followed the substitute notice procedures set forth under the law and a preliminary notice regarding this incident was posted on the SAO website, at sao.wa.gov/breach2021, which we have kept updated.

Feb. 12: SAO notified the Attorney General. That notice was supplemented on Feb. 26.

Feb. 25: SAO set up a call center where people can ask questions and get information about obtaining help related to the incident, and began sending emails to people whose information was in the unemployment benefits data file.