The breach, which was detected Jan. 24 and disclosed last week, affected personal data in active, expired, revoked or suspended licenses for 23 of the 39 professions and businesses that require state licensing. Vulnerable data included Social Security numbers, driver's license numbers and dates of birth. Data from the department's driver's license system wasn't affected, agency officials said.
"Based on our investigation, [Department of Licensing] has sufficient reason to believe the Professional and Business Licensing System was accessed and records were acquired without authorization," the agency said in an updated statement on its website.
Investigators, who now include the FBI, the Washington State Patrol and the state attorney general's office, still haven't determined whether the breach occurred within the agency, in the database or in some other part of the data system, said agency spokesperson Nathan Olson.
The database is maintained by San Francisco software company Salesforce, which has said it has no evidence that the breach occurred due to a problem in the database.
The Department of Licensing is notifying individuals who may be affected by the breach and will provide them with a year of credit monitoring and identity theft protection.
The agency's main online licensing portal, known as Polaris, has been shut down since Jan. 24 as a security precaution, but the agency is offering limited renewal services for businesses and professionals with expiring licenses.
Agency officials had initially said that the breach might have exposed the data of around 257,000 individuals with active licenses in the system, but acknowledged that the full number was likely larger. Friday's estimate grew to 650,000 because it included individuals with inactive licenses, and also because a single business license can include information for multiple people, Olson said.
Friday's announcement confirms what many outsiders already suspected: that personal information in the agency's data system wasn't merely exposed during the breach, but in at least some cases was removed and may be on the "dark web," an anonymized section of the World Wide Web accessed through special software. Stolen personal data is often traded there for use in illicit activities such as the mass impostor fraud that struck Washington's unemployment system in 2020.
As early as late January, some individuals with business licenses in Washington said they had received notifications that some of their personal information had been detected on Jan. 24 on the dark web. That was the date that the state's Office of Cybersecurity became aware of the breach after detecting "chatter" on the dark web about "accessed" personal data from Department of Licensing.
Although investigators are certain some personal data was stolen, they still haven't determined how, where and when the breach occurred, Olson said.
State Sen. Reuven Carlyle, D-Seattle, who has received agency briefings on the incident, said investigators are looking at the entirety of the Department of Licensing's data "ecosystem."
That includes the agency's own internal data systems, the state's broader information technology infrastructure, and the third-party firms that run the database and the integration of the database with the agency, said Carlyle, a technology executive and consultant.
Cybersecurity investigations often focus on the "handoff of data" between different parts of the data ecosystem, Carlyle said. "There is often a particular vulnerability in the cybersecurity category when there's a transition or handoff of data between various parties — and how data goes through that journey is obviously important."
On Monday, a Salesforce spokesperson said that, "at this time, we have no evidence of a vulnerability inherent to the Salesforce platform." Salesforce did not respond to a request for an update Friday.
The consulting firm Deloitte configured the Salesforce platform to work with the Department of Licensing system, Olson said.
Also unclear is whether the breach occurred on Jan. 24 or if that was simply when the state Office of Cybersecurity became aware of the breach.
Breaches are often conducted over a long period, and criminals may not sell the data immediately, said Tari Schreider, a strategic adviser in the cybersecurity practice at Aite Group, a financial services consultancy.
"Once the hackers get in there, they basically lie in wait and look for data that may be interesting," Schreider said. "Hackers could have been in there for months."
Investigators may look at whether the data was in a secure, encrypted form while being stored, moved or processed, said Schreider, who is not involved in the investigation.
Olson said the investigation, which also includes the state Office of Cybersecurity and a third-party cybersecurity firm, CrowdStrike, was "still investigating whether data was unencrypted."
Data encryption is no guarantee against breaches, said Special Agent Kevin Brennan, who is currently supervising the cyber task force at the FBI's Seattle field office.
Although unencrypted data can be easier for hackers to use or monetize, hackers who manage to break into a system and steal encrypted data often also steal the encryption key that lets them unlock the data, Brennan said.
(Per agency policy, Brennan would neither confirm nor deny his office's involvement in the Department of Licensing investigation, and said his comments referred to data security generally and not to the Department of Licensing breach.)
Cyber criminals typically use Social Security numbers and other personally identifiable information for "follow-on" crimes, including obtaining credit cards and bank loans, Brennan said.
They also use the data in so-called account takeovers. Thieves "find an existing account that belongs to you and convince [banks] that I'm you because I have your name and your address, date of birth, your social," said Brennan.
On Friday, some professionals and business owners said they had already received their notifications from the Department of Licensing. Others were still waiting to learn if they were among the at-risk categories — or were wondering whether this breach would be any more or less damaging than any of other numerous breaches that have happened recently.
"All these reputable companies have had these data breaches," said Shonta Riles, a notary and owner of Poppin Notary in Tacoma, referring to a spate of recent reports. As a result, he said, the personal information for "most of the people in the United States is probably [already] on the dark web, to be honest with you."
©2022 The Seattle Times, Distributed by Tribune Content Agency, LLC.
