Lawmakers in Washington state have questioned the extent of information collected by the state’s Employment Security Department (ESD) for fraud-monitoring purposes. 

There has since been a data breach affecting 1.3m unemployment claimants.

Social security and bank-account numbers could now be in the hands of cyber criminals after the department was one of several victims worldwide of a hack into Accellion’s File Transfer Application (FTA), The Seattle Times reported.

Senator Karen Keiser, who chaired a hearing into the matters, said: “There was a real insistence for so much personal info from so many Washingtonians … Did we make an overstep with that effort?”

Senator Reuven Carlyle described the data demanded as extremely expansive, covering everyone who filed an unemployment claim in 2020.

“Could you have taken a sample? Five, ten, twenty thousand people?” he asked, and referred to cyber security experts recommending governments and corporations minimise collection of sensitive data.

Janel Roper, director of administrative services for state auditor’s office, said the data collection was necessary to evaluate how the ESD was flagging suspicious unemployment claims.

The agency is conducting several audits into how the department lost hundreds of millions of dollars last year to unemployment fraud, and delayed payment of legitimate claims, during the coronavirus pandemic.

“Conducting this test required our auditors to obtain the files with all the claims,” she said.

The attacks on Accellion’s FTA started in mid-December and continued into January, affecting several organisations, including telecommunications company Singtel. Mandiant, a division of cybersecurity firm FireEye, is investigating the attacks and has discovered “compelling” overlaps between some aspects of the malicious activity and patterns of behaviour by notorious group FIN11.

PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.