Update: Washington Licensing Agency Investigates Suspected BreachDOL Shuts Down Online System Containing Data for More Than 250,000 Individuals
The Washington State Department of Licensing announced it has shut down operations of its online licensing system, the Professional Online Licensing and Regulatory Information System - or POLARIS - after it "became aware of suspicious activity involving professional and occupational license data," according to a statement released by the agency. Unusual activity was first detected during the week of Jan. 24, and the investigation into the incident has been ongoing.
Nathan Olson, assistant director for the Communications and Outreach Division at DOL, tells Information Security Media Group that the agency "received a report that someone without authorization claimed to have accessed data." On Friday, Olson confirmed that the "suspicious activity" was determined to be a breach and the number of individuals affected could be up to 650,000.
"In response, DOL will begin notifying all affected individuals in a variety of ways, including direct notice, notice to the Washington Attorney General and others as required by law, and notice through updated information on our website," a statement from DOL said.
The agency currently has 257,000 active licenses retained in its systems, according to a report by The Seattle Times However, according to the updates from DOL, the actor also stole information from inactive account holders, such as those who had licenses revoked, suspended or that has expired.
The statement from DOL says POLARIS "issues licenses for 39 types of businesses and professions, including cosmetology, real estate brokers, bail bondsmen, architects and driver training school instructors."
"At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information," the statement says. "All other DOL systems are operating normally."
In order to continue doing business, DOL has created an "Intent to Renew" form for professionals seeking to renew their licenses. It has also created a call center that can operate at full capacity starting this week to receive questions connected to the data breach incident.
Details of the Data Breach
Although details of the incident are scarce at this time, DOL says there is no indication that systems other than POLARIS have been compromised and all other systems continue to run as normal, including the issuance of licenses for drivers and vehicles. According to DOL, POLARIS stores a wide catalog of sensitive information, including Social Security numbers, birthdates and driver's license numbers.
"We have no estimate for how long our professional licensing system will be offline," Olson says. "But we do have a manual process for collecting license renewals, and we are working on a process for new professional licensees."
In order to complete an investigation into the alleged data breach, DOL is working with the Washington Office of Cybersecurity. The office provides various resources for incident reporting on its website, as well as guidelines for responding to breach and cyberattack incidents and training measures to protect users.
"With the support and assistance of nationally recognized cybersecurity experts, we are investigating what happened and what data and people may be affected," DOL says, adding that the investigation into the data and individuals targeted continues.
DOL is directing professionals with concerns that their information could have been compromised to access resources about identity theft from the Washington State Office of the Attorney General or the Federal Trade Commission. The agency is also asking licensees and others who could have information stored in the system to monitor accounts for abnormal activity and report it, as well as place a fraud alert or security freeze on credit files.
Olson says DOL will send correspondence with additional services that can be accessed, including access to free credit monitoring.
DOL has a robust cyber resiliency plan, according to Olson, who says education is also part of the plan, including "mandatory annual training on cybersecurity and quarterly training on security issues, such as phishing."
"We have an incident response plan, a cyber incident response plan, a data security incident response plan, and a continuity of operations plan; together, they contain many elements that most cybersecurity resilience plans have," Olson says.
Investigation into the breach continues, according to Olson.
"Our main priorities are understanding how the access occurred and making sure it doesn’t happen again, so that we can be assured the system is safe and secure," Olson adds.
Other Washington Incidents
The state of Washington - a hub for tech and security giants including Microsoft, Amazon and Avanade - has had its fair share of major security incidents, including ransomware. Many security professionals have lamented the difficulties of protecting high-profile networks, which are privy to sensitive information, including that of consumers and employees. Cybercriminals often view bringing down large corporate or government sector networks as a mark of their skill. To achieve that goal, they use tools that range from buying malware-as-a-service packages to enacting advanced social engineering strategies on employees to trick them into providing network access.
In the first episode of "The Ransomware Files," Ski Kacoroski, a network administrator for Northshore School District in Bothell, Washington - a Seattle suburb - shares his experience of falling victim to a ransomware attack. Kacoroski, on the podcast, said school board officials have encouraged information sharing related to ransomware. He also explained the steps he took to get the school district's systems back online and how there should be no shame for victims as cybercriminals continue to prey on critical infrastructure and other public and private agencies.
Telecom giant T-Mobile, which is also a Seattle-based company, has grappled with several major data breaches in the past few years. In August, the company experienced a massive data breach in which more than 50 million customers' data was stolen. Another, smaller breach - related to a SIM swapping attack - was confirmed in December. A T-Mobile spokesperson said at the time that 200,000 customers' data could have been compromised, but the firm said security measures in place worked for early detection and allowed the company to contact those who could have been affected (see: T-Mobile: Some Customers Affected by SIM Swap Data Breach).
Update - Feb.11, 1:10 PST: This story has been updated to include comments by DOL spokesman Nathan Olson to reflect that a breach of POLARIS has been confirmed.