Background
First, for context, this is required reading: Data breach exposes 1.6 million Washington state residents who filed unemployment claims in 2020 — GeekWire
If you listen to my new podcast with my friend Chris Abramson, “Indistinguishable from Magic” we’re about to release a conversation on this (or already have by the time you read this) over here: Indistinguishable from Magic Podcast | With Rafal Los and Chris Abramson — ITSPmagazine | ITSPmagazine At the Intersection of Technology, Cybersecurity, and Society.
OK, now onto the content of this post.
My Thought Process
When I originally saw that article, my first reaction from the gut was anger. The 1.6M people who had been dealt a bad hand by having to go for unemployment just got screwed a second time. That’s just salt and lime juice in the wound. Then, came the blame see-saw. As I mulled this over in my head, I took to LinkedIn to run a quick poll just to see what you all thought. For reference, the results are here: https://www.linkedin.com/posts/rmlos_security-cybersecurity-breach-activity-6762476500039065600-_6-K
Initially, I concluded that the customer was to blame. As did many of you. Then came my IfM recording where Chris and I debated this point and he hit me with the pocket Aces. Now I’m with those of you who believe that both parties are equally to blame. That said, I believe unless we have some further evidence, in this case, liability may just reside on the vendor. Here’s why.
Point
- The customer was running 20+-year-old software that the manufacturer had suggested they upgrade from. If someone is running software that old, they are likely neglecting upkeep and should recognize the risks of such outdated systems and software for critical functions. This was a failure in risk management, or at least risk recognition.
Counter-point
- Just because the software is old doesn’t make it automatically “risky” or a liability. Further, if the software had not been properly set EOL (end of life) then the vendor is on the hook for supporting it. Even further, the vendor “suggesting” and “recommending” the customer to upgrade from a 20+-year-old version of the software isn’t strong enough language or action.
The Lesson to Learn
Seems like there is enough blame to go ‘round here. The sad fact is that there are finger-pointing and little accountability for what is undoubtedly a catastrophic loss of highly sensitive data. People who are already hurting will get hurt further if their identities are stolen. “Credit Monitoring” isn’t good enough. Not even close. These 1.6M people should have identity theft insurance purchased for them for ~10yrs. It’s high time the industry recognizes “credit monitoring” is as useful to an identity theft victim as that parasol was to Wiley E. Coyote as the boulder crushed him. It’s infuriating as a victim to be told “sorry we screwed up, here’s a consolation prize that’s near as useless to you.”
The second thing, and I think this is critical, both organizations are to blame. Barring any further damning evidence of clear negligence by the State, or by the vendor, both of these hold accountability. The case will likely settle out of court and they’ll part ways, and nobody will learn their lesson. Even the state’s “we’ve now upgraded to the latest version” seems disingenuous, and acknowledgment that they knew they should have upgraded all along.
I guess we won’t know until it’s settled in the court, and more information is available. I’m not expecting transparency from either side here. But if you’re one of these two orgs reading this — you know you’re accountable. Even if there’s a technicality that absolves you, you failed your customers.
Updates
Apparently — the lawsuits have started
https://www.govtech.com/security/Washington-Lawmakers-Focus-on-Cybersecurity-After-Breach.html
Also, Accellion is EOL’ing this FPA mess
https://www.zdnet.com/article/accellion-to-retire-product-at-the-heart-of-recent-hacks/
