Washington Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Washington state sits at the crossroads of technology, aerospace, and government — three sectors that collectively generate enormous volumes of sensitive data and attract sustained attention from cyber adversaries. The state is home to Amazon and Microsoft's global headquarters, Boeing's commercial airplane division, Joint Base Lewis-McChord, and the Hanford nuclear reservation. That concentration of high-value targets in a single state creates a cyber risk profile that few other states can match, and the breach record reflects it.

The incidents documented below are not isolated failures. They reveal systemic patterns — third-party software vulnerabilities, inadequate access controls, delayed detection — that continue to affect Washington organizations today. Whether you run a healthcare clinic in Tacoma or a technology startup in Seattle, these cases carry lessons that should shape your cybersecurity strategy and inform your understanding of Washington compliance obligations.

Major Cyber Incidents in Washington: A Timeline

2019 — T-Mobile Data Breach (Bellevue HQ)

T-Mobile, headquartered in Bellevue, Washington, disclosed a breach in November 2019 affecting approximately 1 million customers. Attackers gained unauthorized access to prepaid customer account data including names, billing addresses, phone numbers, account numbers, and rate plan information. This was the first in a series of breaches that would make T-Mobile one of the most repeatedly compromised telecommunications companies in U.S. history. The breach highlighted the persistent difficulty of securing massive customer databases even at well-resourced technology companies.

2021 — Washington State Auditor Office (Accellion Breach)

In one of the most significant government data breaches in state history, the Washington State Auditor's Office disclosed in February 2021 that a vulnerability in Accellion's File Transfer Appliance (FTA) had exposed the personal information of approximately 1.6 million Washingtonians. The compromised data included Social Security numbers, bank account and routing numbers, and other personal information from unemployment claims filed during the COVID-19 pandemic. The Accellion vulnerability was a zero-day exploit leveraged by the Cl0p ransomware group and its affiliates, affecting dozens of organizations worldwide. For Washington residents, the breach was particularly damaging because it exposed financial data submitted during an already vulnerable period of mass unemployment.

2021 — T-Mobile Massive Data Breach

In August 2021, T-Mobile disclosed what became its most severe breach to date: attackers accessed personal information of approximately 76.6 million individuals, including nearly 50 million former or prospective customers. The stolen data included names, dates of birth, Social Security numbers, and driver's license information. The attacker, later identified as a 21-year-old American living in Turkey, exploited an unprotected router to access T-Mobile's testing environment and then pivoted to production databases. T-Mobile ultimately agreed to a $350 million class-action settlement and committed to spending $150 million on cybersecurity improvements over two years. As a Bellevue-headquartered company, the breach had direct implications for Washington's business community and regulatory discussions.

2021 — Sea-Mar Community Health Centers

Sea-Mar Community Health Centers, a federally qualified health center serving patients across Washington state, disclosed a breach affecting approximately 688,000 individuals. The Marketo ransomware group claimed responsibility and published stolen data on its leak site. Compromised information included names, Social Security numbers, dates of birth, medical and dental treatment records, health insurance information, and images. Sea-Mar operates over 90 locations across Washington, making the breach one of the largest healthcare data incidents in the state's history. The incident underscored the vulnerability of community health organizations that serve large populations with limited IT security budgets.

2023 — Fred Hutchinson Cancer Center Ransomware Attack

In November 2023, the Hunters International ransomware group attacked Fred Hutchinson Cancer Center in Seattle, one of the world's leading cancer research institutions. The attackers exfiltrated patient data and then took the unusual step of directly contacting individual cancer patients via email, threatening to release their medical information unless the center paid the ransom. The breach affected approximately 1 million patients and exposed names, Social Security numbers, health insurance information, medical records, and lab results. The incident drew national attention both for targeting a cancer center and for the tactic of directly threatening vulnerable patients — a deeply troubling escalation in ransomware pressure tactics.

2023 — Boeing Ransomware Attack

In October 2023, the LockBit ransomware group listed Boeing on its leak site, claiming to have stolen significant volumes of data from the aerospace giant. Boeing confirmed a cyber incident affecting its parts and distribution business. LockBit published approximately 43 gigabytes of data after Boeing reportedly did not pay the ransom. While Boeing stated that the breach did not affect flight safety or operations, the incident exposed internal data from a company that plays a central role in both commercial aviation and U.S. defense programs. Boeing's primary commercial airplane manufacturing facilities are located in Everett and Renton, Washington, making this a significant Washington state incident with national security implications.

2023 — T-Mobile January API Breach

In January 2023, T-Mobile disclosed yet another breach — its ninth since 2018 — in which attackers exploited an API vulnerability to access personal information of approximately 37 million customer accounts. The stolen data included names, billing addresses, email addresses, phone numbers, dates of birth, and account numbers. T-Mobile stated that the attacker had been accessing data through the exploited API since November 2022 before detection in January. The repeated nature of T-Mobile breaches became a focal point for FCC enforcement, resulting in a consent decree requiring T-Mobile to implement a comprehensive security program and pay $15.75 million in civil penalties.

Washington Data Breach Notification Law

Washington's data breach notification requirements are codified in RCW 19.255.010. The law requires any person or business that conducts business in Washington and owns or licenses computerized data containing personal information to notify affected Washington residents when a breach is discovered. Notification must be made within 30 days of discovery — significantly faster than many other states. If the breach affects more than 500 Washington residents, the organization must also notify the Washington State Attorney General within the same 30-day window.

Personal information under the law includes names combined with Social Security numbers, driver's license numbers, state identification numbers, financial account numbers with access codes, and health insurance information. A 2019 amendment expanded the definition to include biometric data, full dates of birth, and usernames combined with passwords or security questions. The Attorney General has enforcement authority, and violations are treated as unfair or deceptive acts under the Washington Consumer Protection Act (RCW 19.86), which permits penalties, injunctions, and legal fees. For a comprehensive overview of all Washington cybersecurity regulations, see our guide to Washington data privacy and compliance laws.

Which Washington Industries Are Most Targeted?

Technology

Washington is home to Amazon, Microsoft, and thousands of technology companies concentrated in the Seattle-Bellevue-Redmond corridor. These organizations are targeted for intellectual property theft, cloud infrastructure exploitation, and customer data. T-Mobile's repeated breaches illustrate that even companies with massive IT budgets struggle to defend expansive data environments against determined attackers.

Aerospace and Defense

Boeing's commercial airplane manufacturing in Everett and Renton, along with hundreds of aerospace suppliers across the Puget Sound region, make Washington a prime target for nation-state espionage and ransomware. Defense contractors serving Joint Base Lewis-McChord and naval facilities face persistent threats from Chinese and Russian cyber espionage groups. Organizations in this sector should evaluate manufacturing cybersecurity strategies designed for complex industrial environments.

Healthcare

The Fred Hutchinson attack and the Sea-Mar breach demonstrate that Washington healthcare organizations — from world-class research institutions to community health centers — face severe and varied threats. Healthcare data commands premium prices on dark web markets, and the operational urgency of clinical settings creates intense ransom payment pressure.

Government

The Accellion breach that exposed 1.6 million residents' data through the State Auditor's Office proved that Washington government agencies are direct targets. The Hanford nuclear reservation, state agencies managing sensitive citizen data, and municipal governments across the state all present attractive targets for adversaries.

Protecting Your Washington Business

The pattern across Washington breaches is clear: third-party software vulnerabilities, unmonitored APIs, delayed detection, and supply chain weaknesses create the majority of exposure. Washington businesses should prioritize:

• Vendor and supply chain security assessments — the Accellion breach proved that a trusted vendor's vulnerability becomes your breach. Evaluate the security posture of every third-party tool and service provider that handles your data

• API security and monitoring — T-Mobile's repeated API breaches underscore the need for API-specific security testing, rate limiting, anomaly detection, and access controls

• Multi-factor authentication across all remote access, email, and privileged accounts — still the single most effective control against initial compromise

• Incident response planning that accounts for Washington's 30-day notification deadline, which is stricter than most states

• Endpoint detection and response deployed across all systems, with particular attention to legacy systems in healthcare and manufacturing environments

• Regular penetration testing and vulnerability scanning, especially for internet-facing services

Many Washington organizations partner with managed IT services providers and managed security services firms to maintain the continuous monitoring and rapid response capabilities needed to meet the state's regulatory expectations and defend against the threat actors actively targeting the Pacific Northwest. Small businesses in particular benefit from outsourced security operations that would be impractical to build internally.

Frequently Asked Questions

How quickly must a Washington business report a data breach?

Under RCW 19.255.010, Washington businesses must notify affected individuals within 30 days of discovering a breach involving personal information. If the breach affects more than 500 Washington residents, the business must also notify the Washington State Attorney General within the same 30-day period. This is one of the shortest notification windows in the country — many states allow 45 or 60 days.

What were the consequences of the T-Mobile breaches for Washington?

T-Mobile's repeated breaches, affecting hundreds of millions of customer records across multiple incidents, resulted in a $350 million class-action settlement for the 2021 breach, a $15.75 million FCC civil penalty, and a consent decree requiring comprehensive security improvements. As a Bellevue-headquartered company, these incidents have influenced Washington state discussions about data privacy enforcement and corporate cybersecurity accountability.

How did the WA State Auditor Accellion breach happen?

The breach exploited zero-day vulnerabilities in Accellion's legacy File Transfer Appliance software, which the State Auditor's Office used to transfer files. The Cl0p ransomware group and its affiliates discovered and weaponized these vulnerabilities before Accellion could issue patches. The compromised data included unemployment claim information for approximately 1.6 million Washington residents, making it one of the largest government data breaches in state history. The incident demonstrated the risks of relying on legacy file transfer tools and the importance of prompt patching and vendor risk management.

Was the Fred Hutchinson ransomware attack unusual?

Yes. The Hunters International group's decision to directly email individual cancer patients, threatening to release their medical records, marked an escalation in ransomware intimidation tactics. While ransomware groups have previously contacted executives or posted stolen data publicly, directly threatening patients undergoing cancer treatment represented a new low in extortion tactics. The incident affected approximately 1 million patients and prompted calls for stronger federal protections for healthcare organizations.

What data was exposed in the Boeing ransomware incident?

The LockBit ransomware group published approximately 43 gigabytes of Boeing data after the company reportedly declined to pay the ransom. Boeing confirmed the incident affected its parts and distribution business but stated that flight safety was not compromised. The leaked data reportedly included internal business documents. Given Boeing's role as a major defense contractor and the proximity of its Washington manufacturing facilities to sensitive programs, the incident raised national security concerns even though Boeing characterized the impact as limited.

Does Washington have stricter breach notification rules than other states?

Washington's 30-day notification requirement is among the strictest in the nation. For comparison, Texas allows 60 days, Florida allows 30 days, and California has a general requirement of 'most expedient time possible' without a fixed deadline. Washington also requires Attorney General notification for breaches affecting 500 or more residents, a lower threshold than many states. The 2019 amendments that expanded the definition of personal information to include biometric data further strengthened the law.