A breach of WA’s licensing agency may have exposed the data of a quarter of a million professionals

The personal information of more than a quarter of a million licensed professionals may have been exposed in a breach of a Washington State Licensing Department database, agency officials said Friday.

The agency, which licenses around 40 categories of businesses and professionals – ranging from auctioneers and private investigators to tattoo artists and real estate agents – said it had temporarily shut down its online licensing system, known as POLARIS, on Jan. 24 shortly after learning of “activity involving business and professional license data,” according to a spokesperson and a statement posted on the agency’s website Thursday.

Data stored on POLARIS “may include social security numbers, dates of birth, driver’s license numbers, and other personally identifying information,” but the agency does not yet know whether this data has actually been consulted or how many people may have been affected, agency spokeswoman Christine Anthony said in a statement Friday.

There was also “no indication” that the incident affected other agency data, “such as driver and vehicle license information,” agency officials said, adding that all other Licensing Department systems were functioning normally.

What to do

If you are the victim of a data breach or identity theft:

Although there is no foolproof way to guarantee the security of your information, there are steps you can take to protect yourself against identity theft.

Call the companies where the fraud may have occurred.

Work with one of the credit bureaus (Experian, TransUnion, and Equifax) to check your credit report for suspicious activity and place a fraud alert or credit freeze on your credit report.

Report identity theft to the FTC at IdentityTheft.gov.

File a report with your local police department.

Send a copy of the police report to the three major credit bureaus.

Ask companies to provide you with information about transactions made on your behalf. A sample letter that you can complete and send to businesses requesting records is available on the Attorney General’s Office website at: https://www.atg.wa.gov/db-letter

If you receive a breach notification or believe you have been the victim of identity theft, please visit the Washington Attorney General’s website at http://www.atg.wa.gov/GUARDIT.ASPX to get help.

Anthony said the agency was working with the state’s Office of Cybersecurity, the state’s attorney general’s office, and a third-party cybersecurity firm “to fully understand the scope of the incident and take any further appropriate action” and “will post more information when we know more.”

In particular, investigators have not yet determined whether the personal data was actually deleted by hackers or was simply exposed, said Sen. Reuven Carlyle, D-Seattle, chairman of the environment committee, of the energy and technology, which was briefed by the agency earlier this week.

The investigation will determine “whether the data was accessible and whether it was accessed and if so, to what extent,” Carlyle said. Until then, he said, “we just don’t have an answer on that.”

Meanwhile, the shutdown of the POLARIS system is causing problems for some professionals and companies who must apply for, renew or modify their license.

The disruption comes at a busy time for realtors, appraisers and home inspectors as the state’s real estate market begins to recover from its typical winter downturn.

It’s a horrible time,” said Reis Pearson, inspector and president of the American Society of Home Inspectors in Washington State.

Even before the violation, the organization had struggled to get state approval for the continuing education courses that are required of inspectors, he said. This process is now likely to be further delayed, as the work of inspectors becomes more burdensome.

Steve Francks, CEO of Washington Realtors, said its members know the department is trying to “resolve this issue and restore online services” as quickly as possible, but added that there is “frustration with the lack of communication … regarding a firm plan to address these issues.The state has about 40,000 licensed real estate agents, according to the group.

Another possible frustration: The Licensing Department opened a call center on Friday to handle questions about the incident (855-568-2052) but said the center would be at limited capacity through Monday.

State Office of Cybersecurity officials sounded the alarm of a possible breach after detecting ‘chatter’ about the Licensing Department on the ‘dark web’, Carlyle said, referring to a party of the online world where users can hide their identity with special technology. and where personal data stolen in data breaches is bought and sold.

Criminals often use stolen personal data to commit impostor fraud, such as filing false tax returns or applying for unemployment benefits, as happened in Washington in the spring of 2020.

“The issue has come to our attention that someone online is claiming to have accessed data,” Anthony said. “Immediately we started investigating and on the afternoon of January 24, 2022, out of an abundance of caution, we closed the licensing system.

Some users of the site said the Licensing Department was slow to let licensees know what was going on. “It’s frustrating that they didn’t notify potential victims sooner,” noted a Seattle Times reader, adding that the POLARIS system appeared to be “under maintenance for over a week before sending an e -email yesterday about the potential breach”.

Anthony said the agency initially issued a maintenance message because officials “hoped the issue could be resolved quickly and without impacting professional license holders.” But “once we realized it might be a more complex issue, we changed it to ‘temporarily unavailable,'” she said.

The size of the breach remains uncertain. Data from 23 state-licensed professions and businesses are processed through POLARIS, Anthony said.

Within those 23 categories, which also include surety bonds, funeral directors, building inspectors and notaries, the agency has approximately 257,000 active licenses in its system, Anthony said, adding that “ there are probably more records that can be identified as we conduct our investigation. .”

But how many of those licensees were actually affected has not been determined, Anthony said.

Investigators are also still trying to determine the location of the breach — whether it was an issue internal to the Licensing Department, for example, or with a vendor or other third party, Carlyle said.

“They’re not ready to come to a conclusion about where in the ‘ecosystem’ there was a weakness,” Carlyle said.

The incident at the Department of Licensing is just the latest in a string of recent data breaches that have hit private companies, government agencies and other organizations in Washington and elsewhere.

In late 2020, a software vendor used by the state auditor’s office suffered a data breach that likely led to files being accessed by “an unauthorized user”, the auditor said.

In December and January alone, 25 organizations notified approximately 300,000 Washingtonians that they were “at risk due to the unauthorized acquisition of data that compromises the security, privacy, or integrity of that resident’s personal information. “, according to a state website. Attorney General’s Office.

The almost routine nature of data breaches was on the minds of many professionals in Washington as they awaited updates from the Licensing Department.

“It’s always a pain when there’s a potential security breach,” said Pearson, of the inspectors’ company. “But it feels like it’s kind of part of the daily news in our current climate.”

Coverage for the economic impacts of the pandemic is partially underwritten by Microsoft Philanthropies. The Seattle Times maintains editorial control over this and all of its coverage.

Leave a Comment