Data breach compromised info of 1M-plus who sought benefits:
A Washington agency examining how the state fell victim to massive unemployment fraud last year said Monday that files on 1.6 million claims that it obtained for its investigation have been exposed by a data breach — meaning people who already lost work due the pandemic might have to add identity theft to their difficulties.
The breach involved a third-party software vendor, Accellion, which the state Auditor’s Office uses to transmit files. The auditor has been looking into how Washington’s Employment Security Department lost hundreds of millions of dollars to fraudsters, including a Nigerian crime ring, who rushed to cash in on sweetened pandemic-related benefits by filing fake unemployment claims in the names of real state residents.
“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic,” Auditor Pat McCarthy said in a news release. “I am sorry to share this news and add to their burdens.”
[...] Those potentially affected include people who filed for unemployment benefits between Jan. 1 and Dec. 10, 2020. That includes many state workers as well as people who had fake unemployment claims submitted on their behalf.
[...] Other Accellion customers were also affected, including Australia’s securities regulator and New Zealand’s central bank.
McCarthy said the state learned of the attack Jan. 12, after Accellion made a general announcement regarding a security breach, but Accellion said it notified customers Dec. 23. It wasn’t until last week that the Auditor’s Office learned what files might have been accessed, McCarthy said.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday February 03 2021, @09:04AM
Effectively since we pay the unemployed, we are their boss. We have the right to know who they are, where they live and what they do on our dime. I want 24/7 camera access to make sure they are searching for a job every minute of the day, not jacking off and certainly not taking the dope. It is my religious freedom to do that, hear m brother Alito! Aiiigt!
(Score: 2) by jb on Thursday February 04 2021, @02:39AM (2 children)
Given that various free implementations of scp(1) have been around for at least 25 years now, why on earth would anyone be crazy enough to use a "third-party software vendor" just "to transmit files"?
The mind boggles...
(Score: 3, Interesting) by lentilla on Thursday February 04 2021, @04:15AM (1 child)
Because scp won't work through firewalls, and getting authorisation to open that port requires filling out a mountain of paperwork and then fighting multiple turf wars. So it's far, far easier to outsource it. That's how vertical integration software vendors get their toe into the system - and once they are there they are impossible to excise.
Humans. They spend so much effort putting systems in place to prevent mishaps that nobody can get any useful work done. Then other humans do an end-run around the obstruction and cause the very mishaps the original systems were supposed to prevent.
(Score: 2) by jb on Friday February 05 2021, @02:30AM
Sure it will .. so long as you only point it at tcp ports which your layer 4 filtering policy already allows through and on which your layer 5 filtering policy (if you're unfortunate enough to have one) already expects to see sessions begin with a tls handshake.
If that feels like too much typing (a mere 7 extra chars per transfer?), then feel free to install as rcp (since the real one should be long gone) somewhere in your path a trivial wrapper like:
#!/bin/sh
/usr/bin/scp -P 465 $@
and you can comfortably go back to writing rcp $foo ${remotehost}: like it's 1989 (and that command's so short that even an accountant should be able to remember it).