Issue is resolved, but the agency is reaching out to the 2,200 people affected
OLYMPIA – A vulnerability involving a Washington State Department of Transportation system may have exposed personal information stored in an internal database of about 2,200 people, and the agency is reaching out to help notify them of the incident.
It is not known if anyone obtained the information for illegal use, and the vulnerability within the system is now resolved. The database system is not connected to any other databases outside of WSDOT. Because some personal information was included in the database, WSDOT, in an abundance of caution, has set up a call center to locate and verify those who may have been affected and provide information and services.
Who is affected?
Those affected by this incident are:
- 2,249 trainees employed by private contractors on federally funded WSDOT projects between 1986 and 2021
- Participants in the federal On-The-Job Training program
The vulnerable personal information included first and last names and the last four digits of social security numbers. To be clear, the information did not include individuals' full social security numbers, and no other personal information was involved.
The hours worked by these individuals are tracked by WSDOT's Construction Contract Information System to verify compliance with the federal training program requirements. The personal information is used to verify the trainees' certification requirements. These were not WSDOT employees, but rather people who worked for contractors in trainee positions on construction projects. WSDOT does not have contact information for those affected, so the agency is making a public notification.
Anyone who participated in the On-The-Job Training program as a trainee for a WSDOT contractor, can visit the agency's data incident webpage for further details and information about free credit monitoring for eligible affected individuals.
Mitigation steps
WSDOT learned on Dec. 29, 2021, that an older data system maintained by the agency was able to be manipulated in a way to extract information from the database. WSDOT immediately addressed the security issue by applying a security fix on this system within hours of learning of the vulnerability to prevent similar access and then verifying whose information had been vulnerable.
WSDOT has consulted with state cybersecurity officials and the Attorney General's Office on this matter and is evaluating policies to further strengthen systems, eliminate unneeded data more quickly and increase training on these matters.