Personal information of some of the hundreds of thousands of licensed professionals potentially exposed in a breach of a Washington state database may already have shown up on "dark web" clearinghouses used by identity thieves.
State investigators haven't said whether Social Security numbers and other personal data were actually stolen from a database of more than 250,000 professional and business licensees used by the state Department of Licensing, agency officials said. The database is maintained by Salesforce, a San Francisco software company.
But two individuals who previously had a business license in Washington learned recently that their personal information was detected on Jan. 24 on the dark web, an anonymized section of the World Wide Web accessed through special software. Stolen personal data is often traded there for use in impostor fraud and other illicit activities.
Jan. 24 is the same day Washington state cybersecurity investigators detected "chatter" on the dark web about "accessed" personal data from Department of Licensing, agency officials said Friday. The agency shut down its online licensing portal, known as POLARIS, that day, and has kept it offline since.
"When I saw the (Jan. 24) date, that's actually what made the alarm bells go off in my head," said Mike Burlingame, a Florida resident who had licensed a small telecommunications company in Washington around 15 years ago, and who contacted The Seattle Times after reading about the breach.
Burlingame said he was notified Feb. 1 by his credit monitoring service that his Social Security number and other personal information were discovered on the dark web on Jan. 24. Also exposed was personal data for Burlingame's wife, who was also registered on the company license.
Another report of Department of Licensing data appearing on the dark web was made by a third individual to the Identity Theft Resource Center, a California-based nonprofit that helps identity theft victims, said James Lee, the center's chief operating officer.
Although these instances of personal data on the dark web aren't conclusive evidence of wide-scale theft of Department of Licensing data, "that is certainly a strong indicator that the data was exfiltrated — was removed — and now it's available for misuse," said Lee, an expert in identity theft and data breaches.
The potential breach, which the Department of Licensing made public Feb. 3, may have affected personal data from people and companies in 23 professional and business categories, ranging from auctioneers to real estate agents to funeral directors.
The potential breach remains under investigation by the state Office of Cybersecurity, the state Attorney General's Office and a third-party cybersecurity firm, CrowdStrike, Department of Licensing officials said. It's still unclear whether licensees' personal data was actually stolen or simply was exposed to possible theft, Department of Licensing officials said Monday.
The agency also doesn't yet know exactly how many licensees may have been affected, and has yet to determine whether the potential breach occurred within the agency, in the database or in some other part of the data system.
"We're just not going to have a full picture until the investigation is done," Department of Licensing spokesperson Christine Anthony said Monday.
A Salesforce official said the company had no indication that their database had been compromised, but declined to provide more details.
"At this time, we have no evidence of a vulnerability inherent to the Salesforce platform," said spokesperson Allen Tsai in an emailed response to questions.
In late 2020, a software vendor used by the state auditor's office suffered a data breach that likely led to files being accessed by an unauthorized user.
Because there have been numerous data breaches in recent years, it's often difficult for investigators to link data on the dark web with a particular breach, said Trace Fooshee, a senior analyst and expert in fraud, data security and money laundering at Aite Group, a financial services consultancy.
"There are lots and lots of sources of exposed [personal information] out there," Fooshee said. "They happen all the time."
Indeed, Burlingame himself was caught up in the T-Mobile data breach, when hackers reportedly accessed personal information linked to nearly 50 million people.
But like Lee, Fooshee said the coincidence of events on Jan. 24 may be notable. "Given that context, it makes sense that perhaps ... this most recent breach was likely the source of where the information [dark web] came from," he said.
The Feb. 1 notification Burlingame received indicated that on Jan. 24, the credit monitoring agency found a new online record with his name, birthdate and Social Security number, his former Washington state ZIP code, Washington driver's license number and a current phone number. Burlingame shared a screenshot of the Feb. 1 notification.
Burlingame said he was perplexed by the apparent age of the data that showed up on the dark web.
He said his Washington state company was dissolved around 2008 when ownership was transferred to another firm. The data reference in the Feb. 1 notification from his credit monitoring service appeared to be from "an inactive record that they would have still had ... in their database," he said. "The fact that I'm seeing data that would have been provided for an inactive ... 15-year-old company is extremely concerning."
On Friday, Anthony, the Department of Licensing spokesperson, said there were around 257,000 active licenses in the department system, but also indicated that "there are likely more records that may be identified while conducting our investigation." On Monday, Anthony said there were some older records in the system.
Anthony said it also wasn't clear how long investigators would need to determine whether and how much personal data was stolen from the database. If data was stolen, Anthony said, the Department of Licensing likely will offer credit monitoring services to potential victims.
In the meantime, some licensed professionals are trying to determine how damaging a data breach might be.
Information such as Social Security numbers and addresses might be used to carry out fraud, such as filing bogus unemployment claims, as happened in Washington in the spring of 2020.
But some licensed professions might have other, equally sensitive information in the Department of Licensing database, said Neil Harrison, president of the Washington Association of Legal Investigators.
"A lot of our members and licensed [private investigators] are not only former law enforcement, but they're also former federal law enforcement and 'alphabet' agency people," Harrison said, referring to agencies such as the FBI. "So you've got a very large potential of ... significant problems that can be caused for the individual."
Washington's Department of Licensing has opened a call center to handle questions about the incident: 855-568-2052.