Invest

The Washington State Department of Licensing has restored its website after 650,000 individuals data was leaked

About the Author
Mark Harmsworth
Director, Small Business Center

The amount of data stolen in the Washington State Department of Licensing (DOL) data breach that occurred in January this year, originally was reported to be 257,000 individuals. Now it appears that approximately 650,000 former and current business owners’ data was leaked.

The data included social security numbers, driving license numbers and dates of birth. Initially DOL did not believe that any drivers details had been leaked, but during an investigation by DOL, it became apparent that the data, had in fact, been stolen.

For the last two months, DOL disabled access to its website, creating significant problems for small business owners attempting to add or change licensing for their business.

The DOL data breach is another high-profile data breach by a Washington State agency. In December 2020, 1.3 million records were breached from the Auditors data systems while performing an audit of the Employment Security Department (ESD) Nigerian fraud problems that occurred during the initial days of the pandemic.

Washington State University (WSU) had a similar size data-breach (1.2 million records) in April 2017 which resulted in a $4.7 million settlement in 2019.

All the data breaches that are occurring at the state agencies are the result of poor data security protocols and sloppy data protection. Despite agencies having documented security policies, it appears enforcement is inconsistent. In the case of the WSU breach, no protection oversight of the data was provided and a hard drive containing the exposed data was stolen from an insecure location.

State agencies have enormous amounts of personal data and should be held to a higher standard for protecting that data. Policies should be put in place legislatively, with penalties, for individuals who do not follow published data protection policy.

Additionally, the state should follow, NIST and ISO guidelines for deleting data that is no longer needed to provide services to Washington residents. Often data is collected by a state agency for a specific reason but is not destroyed or anonymized after the data is no longer needed. State agencies should be required to destroy data once the initial purpose for the data collection has been fulfilled.

The policy of many state agencies is to collect personal data for analysis and historical trends. This can be achieved by removing the personal data elements from the data in a way it cannot be traced back to an individual. Some data fidelity is lost, but in the event of a data breach, much less or no personal data would be lost.

From the reports in the press is appears the data breach of the DOL data included historical license data which should not have remained on DOLs active servers after the licenses had expired.

Unfortunately, this is unlikely to be the last data breach that occurs at a Washington State Agency as there appears to be no sense of urgency to implement stricter data controls.

Users that had their data stolen from DOL have until May 22, 2022, to receive free credit reporting.

The amount of data stolen in the Washington State Department of Licensing (DOL) data breach that occurred in January this year, originally was reported to be 257,000 individuals. Now it appears that approximately 650,000 former and current business owners’ data was leaked.

The data included social security numbers, driving license numbers and dates of birth. Initially DOL did not believe that any drivers details had been leaked, but during an investigation by DOL, it became apparent that the data, had in fact, been stolen.

For the last two months, DOL disabled access to its website, creating significant problems for small business owners attempting to add or change licensing for their business.

The DOL data breach is another high-profile data breach by a Washington State agency. In December 2020, 1.3 million records were breached from the Auditors data systems while performing an audit of the Employment Security Department (ESD) Nigerian fraud problems that occurred during the initial days of the pandemic.

Washington State University (WSU) had a similar size data-breach (1.2 million records) in April 2017 which resulted in a $4.7 million settlement in 2019.

All the data breaches that are occurring at the state agencies are the result of poor data security protocols and sloppy data protection. Despite agencies having documented security policies, it appears enforcement is inconsistent. In the case of the WSU breach, no protection oversight of the data was provided and a hard drive containing the exposed data was stolen from an insecure location.

State agencies have enormous amounts of personal data and should be held to a higher standard for protecting that data. Policies should be put in place legislatively, with penalties, for individuals who do not follow published data protection policy.

Additionally, the state should follow, NIST and ISO guidelines for deleting data that is no longer needed to provide services to Washington residents. Often data is collected by a state agency for a specific reason but is not destroyed or anonymized after the data is no longer needed. State agencies should be required to destroy data once the initial purpose for the data collection has been fulfilled.

The policy of many state agencies is to collect personal data for analysis and historical trends. This can be achieved by removing the personal data elements from the data in a way it cannot be traced back to an individual. Some data fidelity is lost, but in the event of a data breach, much less or no personal data would be lost.

From the reports in the press is appears the data breach of the DOL data included historical license data which should not have remained on DOLs active servers after the licenses had expired.

Unfortunately, this is unlikely to be the last data breach that occurs at a Washington State Agency as there appears to be no sense of urgency to implement stricter data controls.

Users that had their data stolen from DOL have until May 22, 2022, to receive free credit reporting.

Sign up for the WPC Newsletter

 

Share