Frequently asked questions regarding a data breach at SAO’s third-party service provider

Feb 4, 2021

The information on this page was last updated: 03/12/2021 5:05 PM

The process is under way to notify people whose unemployment benefits claims information may have been affected by a data security breach of the Accellion file transfer service.

The notifications will be sent by e-mail during the next two weeks to people who filed an unemployment insurance claim in 2020. The e-mail will contain information about identity theft protection and an individual code for 12 months of free credit monitoring and instructions on how to enroll and request assistance.

The Office of the Washington State Auditor will update this page as this process proceeds.

What Happened? In mid-January 2021, SAO was alerted to a potential security incident involving the Accellion file transfer service. SAO immediately contacted Accellion for specific details. Over the next few weeks, SAO learned that an unauthorized person gained access to data stored in SAO's file transfer account with Accellion. SAO began working with Accellion to identify which files may have been impacted by the incident. The incident is under active investigation by Accellion, SAO, and law enforcement.

What Information Was Involved? Some of the data files identified by Accellion contained personal information of individuals, among others, who received unemployment benefits from the Employment Security Department (“ESD”) in the 2017 to 2020 time period. These files may have contained the person's name, Social Security number, date of birth, street and email addresses, bank account number and bank routing number. The Accellion service was not managed by ESD and ESD bears no responsibility for this data breach and is not in a position to respond to calls or questions about this matter. The investigation is underway to identify people and information involving other state agencies and local governments whose files were affected. Those people will also be notified by SAO.

Were Washingtonians targeted? There is absolutely no evidence to date that that the State of Washington or any of its residents were the target of this incident. This incident affected multiple federal and state, local, tribal, and territorial government organizations as well as private industry organizations businesses including those in the medical, legal, telecommunications, finance, higher education, retail, and energy sectors.

Was SAO using an old or outdated product? At the time of the breach, Accellion was supporting and servicing the file transfer platform that SAO and many other organizations were using. In late summer 2020, SAO began the process of migrating to Accellion's newer platform, Kiteworks, a process that was completed Dec. 31, 2020.