Investigators believe hackers stole at least some of the Social Security numbers and other sensitive personal data of 650,000 current and former Washington state professionals and business owners during a breach of a state database. The Seattle Times reports that Department of Licensing officials confirmed the numbers Friday. The breach, which was detected on January 24 and disclosed last week, affected personal data on active, expired, revoked or suspended licenses for 23 of the 39 professions and businesses that require a state license.
The affected data included information such as Social Security numbers, driver’s license numbers and dates of birth. Data from the department’s driver’s license system was not affected, agency officials said.
“Based on our investigation, (Department of Licensing) has reasonable cause to believe that the Business and Professional Licensing System was accessed and records acquired without authorization,” the agency said in an updated statement on its website.
The database is maintained by Sales forcea San Francisco software company.
The agency will begin notifying people potentially affected by the breach and providing them with credit monitoring and identity theft protection.
Agency officials had initially said the breach could have exposed the data of at least 257,000 people’s active licenses in the system, but acknowledged the total number was likely higher. Friday’s estimate increased to 6,50,000 because it included people with non-active licenses and also because a single business license can include information from multiple people, Olson said.
Investigators have not yet determined whether the possible breach occurred within the agency, in the database or in some other part of the data system, said Nathan Olson, an agency spokesman.
On Monday, a Salesforce spokesperson said that “at this time, we have no evidence of an inherent vulnerability in the Salesforce platform.”
The breach remains under investigation by the state Office of Cyber Security, the state Attorney General’s Office and a third-party cybersecurity firm, Department of Licensing officials said.