Malicious actors last Dec. 25 stole millions of unemployment applicants’ data from the Washington State Auditor’s Office (SAO) via a zero-day vulnerability in a 20-year-old file transfer service from Accellion, Inc. The incident and its aftermath serve as an example of the discord and miscommunications that can transpire between a third-party software provider and its users when something goes wrong.
The attack also demonstrates not only the critical importance of securing sensitive data on the move, but also the potential risks of using legacy applications that are nearing end of life.
In a Monday announcement that updated its original Jan. 12 bug notification, Accellion confirmed the company first learned of a code flaw in the product – Accellion FTA – last December, releasing a fix in under 72 hours and alerting its customers of the exploit on December 23. Attackers continued to exploit FTA via additional vulnerability points through January, prompting the developer to distribute more patches whenever a new bug surfaced.
But the SAO is accusing Accellion of being less than forthcoming, with officials explaining in a virtual press conference and a public statement that it was not aware of any security incident at Accellion until the Jan. 12 bug notification, and it was “not until the week of Jan. 25, 2021, that Accellion confirmed to SAO that SAO files were subject to this attack and provided the information needed for SAO to begin to identify which data files were impacted and individuals whose personal information is in those files.” Previous communications lacked sufficient detail, according to the SAO's account.
Mike Hamilton, president and chief information security officer at CI Security and former CISO of Seattle, told SC Media that the disparity in dates might simply be a matter of semantics. "The vendor may have notified the state of an attack against the Accellion instance that houses state documents, but may not have been specific about what was compromised until later," he said. "This makes sense, as it takes a while to confirm the specifics of incidents like this."
Accellion, meanwhile, said that for the last three years it has been encouraging customers to migrate from FTA, which is approaching its end of life, to its “kiteworks” enterprise content firewall platform, which it says is “built on an entirely different code base," using "state-of-the-art security architecture, and a segregated, secure development process."
Accellion further contends that the “vast majority” of its customers have already made the switch. The SAO, however, only completed its migration on Dec. 31 and was still using the older solution when the attack took place. As a result, the agency was successfully infiltrated by adversaries who stole data in the form of audit records while they were temporarily stored on Accellion’s servers during the transfer process.
Different experts pinned blame on different sides of the conflict. Some suggested that SAO should have long ago migrated to kiteworks.
“While it is not unusual for government agencies to use outdated systems due to budgetary constraints, using a 20-year-old legacy system like the one that was breached is inexcusable,” said Chris Hauk, consumer privacy champion at Pixel Privacy. “Updating to Accellion's newer package after the breach took place is another example of closing the barn door after the horse has bolted.”
"What went wrong here is that the state did not upgrade to the kiteworks variant of the product while the FTA variant was known to be vulnerable," agreed Hamilton. "Government tends to let technology stay in place until replacement or upgrade is unavoidable, something we call ‘management by landmine.’ In an ideal world, government agencies would budget and plan for the procurement and deployment of replacement technology on a time horizon that is ahead of vendor plans for end of life as communicated by the vendor. The right time to migrate is before the product loses vendor support – for example, regular security patches and upgrades."
On the other hand, Paul Bischoff, privacy advocate with Comparitech, said that as long as a software or service is still supported, its users should expect the provider will do its part to keep it secure. “If Accellion still officially supported the product, then it should not try to shift blame,” said Bischoff. “If the product has reached end of life, then the auditor's office shoulders the responsibility for not moving on to a supported product.”
For its part, Accellion asserts that it has continued to support its legacy product. “Our latest release of FTA has addressed all known vulnerabilities at this time,” said Frank Balonis, Accellion’s CISO, in a statement. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate to kiteworks... and have accelerated our FTA end-of-life plans in light of these attacks. We remain committed to assisting our FTA customers, but strongly urge them to migrate to kiteworks as soon as possible.”
But the SAO, which had used FTA for 13 years, was less forgiving. "We paid for, we expected, and we deserve to have a secure system," said Washington State Auditor Pat McCarthy, in a press conference. "We believed that Accellion was providing a secure file transfer product for the state of Washington. We had no indication, no inclination that this product was not secure."
"This secure file transfer service – one of the main features is that it's supposed to do it securely and it's supposed to do it with an awful lot of auditing, and verification. So I'm really disappointed in how long it took them to confirm the files that were in fact compromised," said Jesse Rothstein, co-founder of ExtraHop, as quoted in a news report from local affiliate KING.
The SAO says that approximately 1.6 million unemployment claims were compromised in the breach, with more than a million individuals affected (several applicants filed more than one claim). These claims were originally filed with the state's Employment Security Department (ESD), but ironically, the SAO had taken possession of the files in order to review a previous $600 million unemployment fraud case that had impacted the ESD.
"Each individual who has been impacted by the earlier fraud at the ESD is already frustrated. Everyone who has been a victim of cyberattack is frustrated by how often personal information can be attacked or stolen," said McCarthy. "I'm sorry to add to that frustration and worry. We are absolutely doing everything we can to mitigate the harm caused by this incident."
Stolen data includes unemployment applicants' names, social security numbers, driver’s license numbers, state identification numbers, bank account and routing numbers and places of employment.
"The bad actors of the world will likely use the information acquired in the hack to attempt to learn more about the victims," said Hauk. "Washington state unemployment users will need to be on the alert for phishing emails, snail mails, texts and phone calls – all designed to extract more personal information from unwitting victims. Victims will also want to keep a close eye on their credit, using credit reports, credit alerts, and perhaps credit monitoring services.”
Data from several Washington local governments and state agencies were also affected in the incident, including the Department of Children, Youth and Families. The potential consequences serve as a reminder that securing files in transit is a fundamental component of data management strategy – and just as important as securing data at rest and data in use.
“Organizations have relied on secure data transfer – meaning the data is protected in transmission – as being sufficient. This is no longer true,” said Purandar Das, CEO and co-founder of Sotero Software. “Even if the data is secure during transmission, the underlying data is in clear text. True and complete data protection has to be built from the ground up. Regardless that the data is being transmitted over a secure channel, data security must start at the source – meaning the data should be… encrypted all the time, even in use.”
Das said that credit card companies learned this lesson a long time ago. “Hence the reason why credit card information is never transmitted to the retailer. The card companies encrypt it and don’t transmit or share the information,” he continued. “Unfortunately, the same mechanism does not work for everyone. The transmitted data needs to be available for use and analysis. Adopting newer technologies that enable the use of encrypted data by the proper parties coupled with multi-party key ownership for authentication is one way to eliminate data loss during transmission.”
In the wake of this incident, another lingering question is how many other FTA users might be affected, including perhaps additional states using the same service. Indeed, SAO said that based on news reports, it knows that approximately 50 other organizations were also affected by the same exploit.
“Unfortunately, one of the side-effects of the COVID-19 pandemic has been a huge increase in unemployment claims in the United States and other countries," said Hauk. "While it is unknown how many other states and countries may use the affected version of the Accellion file transfer system, it stands to reason that other states and regions may be hit by similar attacks if they do not take immediate action to update their systems.”
SC Media reached out to both the SAO and Accellion. As of publication, the former reiterated what was previously stated during the office's press conference and the latter declined further comment at this time.
"This is a lesson on third party security and being aware of exposures that are created by vendors that may not be under the purview of the customer organization," said Hamilton. "My guess is that there will be improved contract language going forward with service providers and vendors that clearly articulates liability ownership for an event like this."