Washington Takes Down Financial Disclosures, Claiming Concerns Over Foreign Hackers

Senators are calling for the disclosures, which are meant to expose conflicts of interest, to be kept offline and available only upon request.

Washington Takes Down Financial Disclosures, Claiming Concerns Over Foreign Hackers
Access to financial disclosures has been disabled from the Washington Public Disclosure Commission's website.

On Sunday afternoon of Memorial Day weekend, the commissioners of Washington state’s Public Disclosure Commission (PDC) received an urgent email. “This is not something I take lightly, but it appears we have a serious problem on our hands,” read the email from Democratic state Sen. Sam Hunt, the chairman of the State Government, Tribal Relations and Elections Committee, which has jurisdiction over the commission. “I am requesting that the PDC put a hold on posting legislative and other F-1s online.”

F-1s are the financial affairs statements that the state’s elected officials, executive officers, and candidates for office are required to file and are made available to the public for review. The filings, which include information on officials’ financial assets, business affiliations, and other details, are meant to inform the public about possible conflicts of interest. They do not include account details, Social Security numbers, or other highly sensitive information, and the value of assets are disclosed using codes that indicate broad ranges.

In the email, which Sludge reviewed, Hunt said that the PDC was “being assaulted by international data thieves from China, Russia, and Germany” who wanted access to use the information on the forms for “who knows what purpose.” He asked the agency to immediately take down the data, adding that they could not wait for legislative action because “the crisis is now.” 

At the time, the state was being rocked by news that its Employment Security Department (ESD) was under attack from Nigerian hackers who were using stolen data to file hundreds of millions of dollars worth of fraudulent unemployment claims. The scammers appear to have targeted the state because it was among the first to begin paying out the expanded unemployment benefits that had been approved by Congress, and the ESD was using an accelerated process that made it more difficult to verify claims. 

“It appears that we are sitting ducks and could be the next big news story,” Hunt said in his email. “None of us wants this to happen.”

Hunt sent the email after Sen. Reuven Carlyle, the chairman of the Environment, Energy and Technology Committee, told him that he had asked the state’s Chief Information Officer, Jim Weaver, to review potential cyber threats across all state agencies. Weaver told Carlyle that the PDC website had foreign traffic but that he was unable to provide any quantifiable metrics about the traffic and how much may be from foreign visitors. Despite the lack of information, Weaver recommended that the financial affairs statement data be taken down, Carlyle told Sludge.    

Weaver told local news station KUOW that he had seen no evidence of the PDC’s website being breached.In a matter of hours after Hunt sent his email, the PDC blocked online access to the financial disclosure statements. As of this writing, the PDC’s website says that the information is unavailable and it does not provide instructions for how to obtain the information. The state’s Public Records Act requires agencies to provide “the fullest assistance” to people requesting public records and to take “the most timely possible action on requests for information.”

The PDC website now says Financial Affairs Statements are temporarily unavailable.

The sudden disappearance of this information happened as the American public has become more interested in the personal finances of politicians following a U.S. Senate scandal in which Sen. Richard Burr (R-N.C.) appears to have dumped stocks ahead of the coronavirus-related stock market crash based potentially on non-public information he received in a briefing. The case is currently being investigated by the FBI.

PDC Commissioner Russell Lehman told Sludge that the agency’s executive director and current chairman acted too hastily in taking down the information without conducting a deliberative review or consulting him and other commissioners on the matter. 

“What I believe they could have and should have said is, okay thank you very much we’ll take that into consideration, we’ll look at all the evidence, we’ll talk to the experts, and we’ll make a decision,” Lehman said. “But instead they just quickly did what this person wanted because he’s the chair of the committee.”

Lehman said that the use of hacked information at the ESD is not relevant to his agency’s website, which posts all its information in the open for public consumption.

“This legislator was alleging that because of the hacking that took place at the ESD website, that that could be a problem. And then our own IT people said, wait a minute, you can’t hack our site—our site’s public and open, there’s nothing to hack. He clearly is using what happened with the ESD as a pretext.”

Reached by email, Hunt told Sludge that he called for the filings to be taken down because of a general concern about the security of state data. 

“Our office of Chief Information Officer and WATech—state technology office—have raised deep concerns about security of state data and its protection,” Hunt said. “They have verified numerous attempts to break into state technology. So we wonder why just putting this data on the Internet without any security protections is even being considered.”

For Hunt, this was not the first time he has responded to a perceived emergency by supporting the take-down of F-1 forms. Last year, Sen. Tim Sheldon told his colleagues a now-debunked story about the wife of a state elected official being targeted based on information obtained in the disclosures while on vacation in Mexico. According to Sheldon’s debunked story, the wife was kidnapped and held for ransom, which he said was “an example of what some people can do with public information.” The non-profit news site Crosscut reported that Hunt urged his Senate colleagues to vote to keep legislators’ financial disclosures offline, and that the kidnapping story was the reason why. 

Hunt also voted in favor of a controversial 2018 bill to exempt the legislature from the state’s public records act. Carlyle voted against the bill, which was vetoed by Gov. Jay Inslee following a public outcry.

The PDC is scheduled to meet on Thursday, June 25, to discuss the matter. Hunt told Sludge that he has not received any follow-up information from the PDC since its last meeting and that he thinks the agency should keep the information offline. 

“Since the PDC apparently shows no interest in working with the legislature to protect this very personal information from data thieves who could willy nilly go to the PDC website and get thousands of elected and appointed officials personal information that includes family members’ names, property owned, bank accounts, investment information, debts, I do not believe the information should be online.”

In a June 22 letter to PDC chair David Ammons, Hunt, Carlyle, and 17 other senators called to keep the F-1 statements offline and go back to a request-based system similar to what it used before it began posting them online in 2019. 

“We believe you can aggressively support full and open access to F-1s through a simple request to the PDC while showing the most modest level of effort to protect filers,” the senators wrote. “Therefore, we urge the commission to return to the time-honored policy of making this information available upon request from the PDC.”

Toby Nixon, president of the Washington Coalition for Open Government, a nonpartisan group that “advocates for the people’s right to access government information,” told Sludge it supports the F-1s being posted online.

“The interests of the public are served best when public records of widespread interest are proactively posted online,” Nixon said. “It is unseemly for elected officials who claim to support transparency to demand creation of as much friction as possible in the disclosure process. The personal financial disclosures on PDC F-1 forms are quite superficial and very unlikely to be useful for fraudulent purposes such as fake claims for unemployment insurance. If these officials want to eliminate these disclosures that were imposed by a vote of the people, they should just come right out and say so, and stop putting roadblocks in the way.”

“It’s always a fight between privacy and transparency,” Lehman said. “It’s really interesting when public officials who do it completely voluntarily—they run for office, they know they have to file these things—and they will ask us for modification of their forms or allow them to somehow keep things private.”

This article has been updated to include comments from The Washington Coalition for Open Government.

Read more form Sludge:

Grassroots NY Challengers Take on the Pandemic and the Big Money Machine

‘Bloomberg Loophole’ Paves the Way for Rich Donors to Ignore Contribution Limits

Campaign to Overturn Citizens United Keeps Racking Up Wins