The personal unemployment claims data of at least 1.4 million Washingtonians may have been stolen in a hack of software used by the state auditor’s office, Auditor Pat McCarthy said Monday. In a news release, McCarthy said the data, including Social Security numbers and banking information, was exposed in a breach in December of Accellion, a software provider the auditor’s office used to transfer large computer files.
<p>Cybercriminals typically break-in by exploiting vulnerabilities or taking advantage of misconfigurations. In this instance, a vulnerability existed that was overlooked. We all want to trust that our cybersecurity teams are doing the best they can to keep attackers out. I believe in what Reagan once said “trust, but verify”. It’s much better, and less costly, to have a trusted ally validate your security than wait until it’s validated or invalidated by an attacker.</p>
<p>First, it’s critical to maintain an up-to-date environment. Also, just because data is in your own data center does not mean that its security is guaranteed. Maintaining on-prem software requires time and investment, so it’s no surprise that organizations that are understaffed may have older software deployed. In both cases, it’s important to consider the perimeter around these apps. A zero-trust access approach to securing these apps assumes that a threat can come from anywhere. Therefore, it scrutinizes every request to download data to protect its valuable assets and intellectual property.</p>
<p>The shockwaves from the late-December Accellion zero day continue to be felt across multiple countries; this is a company that has a reseller community situated across the globe and we’re already seeing stories coming out of Australia and New Zealand as well as those from Washington.</p> <p> </p> <p>It’s as clear an example as we’ve seen for two key components to strong cyber security processes – the auditing of third parties and the personal responsibility for organisations to make sure that they are as up to date as possible with their software.</p> <p> </p> <p>The fact that the Washington auditor’s office was at the end of a 20 year product life cycle is a worrying sign that proactive assessment and analysis of their file sharing systems weren’t being carried out – they stuck with what they knew and already had in place. The issue is that those on the wrong side of the law will not be using the same technologies and strategies as they were in the early 2000s, so as criminal strategies develop, so too must the secure systems businesses use.</p> <p> </p> <p>It also is another key indicator to organisations situated in Europe to look closer to home for any secure systems that they need to implement; backed by GDPR and not subject to the regulatory backdoors needed in systems in the US, there is additional piece of mind that comes with European cyber security use.</p>
<div class=\"gmail_attr\" dir=\"ltr\">Compromises come in many forms where the attacker defines the rules of their attack. In this case, the nature of the data is particularly worrisome as it could be used in future crimes. While an offer of free credit report might help alleviate some of the fallout from the attack, that the information being transferred contained banking information in addition to employment details and social security numbers could allow for a highly targeted phishing attack. Washington residents should be particularly wary of anyone directly and proactively contacting them about an unemployment claim via email or phone. Given the nature of the stolen data, it becomes that much easier to trick someone into thinking such proactive outreach is legitimate.</div> <div dir=\"ltr\"> </div> <div> <p>From a cybersecurity perspective, this attack highlights that proper security isn’t simply a matter of protecting servers with firewalls and desktops with anti-malware. Attackers will find a weak link and if transferred data is in a consumable format, such as in plain text, then the damage from a compromise is that much greater. This is a perfect example of where threat models play a role. A forensic analysis will seek to determine key questions like who verified whether the file transfer service setup by Accellion was patched and who determined the file format used for the transfer? Threat models seek to perform a forensic analysis before the incident occurs in order to prevent the need for an incident response.</p> </div>
<p>The very disappointing news that the highly sensitive personal data of 1.6 million unemployed filers in Washington State was exposed underscores just how important data-centric security is. Unlike perimeter security methods, which strengthen the boundaries around data, data-centric security such as tokenization protects the data itself, obfuscating it so that it becomes for all intents and purposes unintelligible. This means that if it falls into the wrong hands, threat actors cannot use it or leverage it for their personal gain—the meaning behind the data remains hidden. Had the caretakers of this data implemented data-centric security, then the privacy of over 1.6 million Washington State citizens would have been maintained and protected.</p>