WSU security to be assessed

The university is taking measures to increase security after a data breach in April

CODY COTTIER, Evergreen reporter

WSU will soon distribute a survey asking university personnel what data they have and how they are managing it, in an effort to assess information safety following a security breach in April.

This is the first step in a plan the university announced earlier this year, after a hard drive containing personal information of more than 1 million people was stolen from a self-storage unit kept by WSU’s Social and Economic Sciences Research Center in Olympia.

After this, the university will enlist a computer security company to perform a comprehensive review of WSU’s security practices, said Sasi Pillay, vice president of Information Technology Services and chief information officer.

“It’s not something that can be done overnight,” he said. “It is going to be a sizable effort.”

Tom Ambrosi, chief information security officer, said they will send out the survey in about a month, to check for compliance with state standards. He said they perform this review annually, but not usually to this extent. They are surveying all relevant personnel, partly because of the security breach, Ambrosi said.

The costs involved in the security breach have reached into the hundreds of thousands, said Phil Weiler, WSU vice president for marketing and communication. He said he is not sure of the final cost, but WSU paid only $150,000 on an insurance deductible, because its policy covers up to 2 million impacted people.

The research center kept two backup hard drives with sensitive information, including Social Security numbers, Weiler said. They used the information for things such as helping school districts track whether high school graduates got jobs or went to college.

He said they stored one of the backups on-site, to be used in case their server crashed, and one in the storage unit. Each week they exchanged the two, placing one into an 85-pound safe that Weiler said would be difficult to steal, let alone to open.

“That said, there were better places for us to store that hard drive in retrospect,” Weiler said.

Seattle-based cybersecurity expert Bryan Seely agreed, saying, “I’ve got a better safe in my bedroom than the one they were using.” He said sensitive information like this should be stored in a bank vault.

“And if for some ungodly reason the bank gets robbed,” he added, “and it’s like some movie where they’re emptying safety deposit boxes, you’ve got a pretty good story to tell to your board of directors.”

And in fact, Weiler said the research center’s backup hard drive has been moved to a bank vault. He said the downside to this arrangement is reduced access to the backup.

“You have to weigh convenience with security,” Weiler said. “I think it probably makes more sense for us to err on the side that ends up being less convenient.”

He said he has not heard of anyone’s information being stolen. One person filed a lawsuit in early July against WSU, saying he had suffered a fraudulent charge after the breach, but the case was dismissed two weeks later. Weiler said he is not aware of any other lawsuits.

After discovering the theft on April 21, WSU alerted the Olympia Police Department. They investigated, but with few leads the case proved fruitless.

Seely speculated the thief knew what was in the safe. Otherwise, he said, they would not have thought it worthwhile to steal. He noted that identities fetch a couple dollars each on the black market.

Weiler, on the other hand, argued it seemed like a crime of opportunity, that the thief chose that unit at random and assumed the safe held something valuable. He said there are easier ways for a hacker to steal information.

WSU waited two months to notify the people whose information was on the hard drive. In the intervening time, security company Navigant spent six weeks with the other backup, determining whose information had been compromised.

The company used “brute force attack,” a trial-and-error method of decoding data by trying every possible combination of characters. Weiler, who worked as public relations manager for a cybersecurity company for six years, noted that if it took this long for a team of professional computer scientists, it would not be easy for just anyone to unravel the data.

Weiler said most of the data was stored in a relational database, meaning the hard drive contained different files for information such as names, addresses and phone numbers. This makes it difficult to match each person to their information. He said some files were encrypted, and others password protected.

Seely said it’s better practice to encrypt the entire hard drive, rather than individual files, essentially “locking” it and rendering it useless to thieves. He said there are numerous third-party applications for this.

Seely said many organizations see information technology as a place to cut corners and save money, “but the vast majority of people are omitting the very, very basics.”

“That kind of stuff is ridiculous,” he said, “just for something simple that I do on my own personal stuff.”

This incident raises the question of whether WSU consistently stores sensitive information insecurely, Seely said. Pillay said this concern is the reason behind the data survey they plan to perform soon.

“That’s why we want to move forward with something really quick,” he said.

Pillay said they are putting together a checklist for the survey. After they distribute it, employees will have about 30 days to respond, explaining how they handle their data.

Ambrosi said they are already working to encrypt confidential data wherever it is stored across the university, including on desktops, backup hard drives and servers.

They plan to release a request by January for security companies to assess WSU’s information management practices, and to select one a couple months after that, Pillay said. He estimated the assessment will take three to four months, and expects it to be complete by early summer.