Lawsuit against WSU claims negligence led to burglary that exposed sensitive data
Sometime last April, a burglar – or maybe more than one burglar – broke into locker No. 326 at a self-storage facility in downtown Olympia. It might have been a mundane crime, if not for the massive number of potential victims.
Forgoing the opportunity to steal some old office furniture, the burglar, or burglars, made off with an 86-pound safe, which contained a hard drive, which in turn contained confidential information on nearly 1.2 million people, including names, Social Security numbers and personal health records.
The hard drive belonged to the Social and Economic Sciences Research Center, an arm of Washington State University that conducts long-term studies on education and career trends. Now, the university is facing a class-action lawsuit in King County Superior Court that alleges negligence and violations of Washington’s Consumer Protection Act.
The 33-page complaint, filed in December, also claims the school violated a state law that requires prompt disclosure of personal data leaks so victims can take steps to protect themselves.
Following the burglary, WSU hired a security firm to determine whose data had been compromised. On June 9, seven weeks after the breach was discovered, the university mailed out notification letters bearing President Kirk Schulz’s signature.
David Minnery, of Seattle, who received one of those letters, said he was stunned researchers would store private information at a place like Quality Self Storage, a facility with no surveillance cameras.
“It’s a joke,” Minnery said of the 8-by-10-foot locker. “You put a little Master Lock on those things. You’re storing household goods you don’t have room for in your garage. It’s not where you store our personal information. It just shows you how little value they placed on it.”
The consolidated lawsuit brings together several complaints by plaintiffs who had filed cases separately. One of them, Abhi Sheth of Seattle, was previously the lead plaintiff in a federal class-action suit against WSU. That suit was filed and promptly dismissed in July because the attorneys had not filed a tort claim, which is required 60 days before one can sue a government entity.
No one has been charged in connection with the burglary, and it appears authorities have found no suspects. Some of the files on the hard drive were encrypted, and some were password-protected. WSU officials say they have no evidence the data has been misused or accessed by a criminal.
But the King County suit says Sheth and other plaintiffs, including two men who now live in Arizona and Louisiana, had their financial accounts hijacked in the weeks after the Olympia burglary.
Minnery said he, too, has fallen victim to identity theft, but he doesn’t know if it’s tied to the burglary or, say, the massive Equifax hack that came to light in September. A woodworker, Minnery runs a toy company with his wife, Adrienne, who also unwittingly had personal information on that hard drive in Olympia. They routinely have to cancel fraudulent charges on their Wells Fargo business checking account, he said.
“About every two months, someone uses my card to make some purchases,” David Minnery said. “I spot it, let the bank know. They cancel my card, issue me a new card with new numbers. And the cycle repeats.”
Kim Stephens, a Seattle attorney for the plaintiffs in the class-action suit, said many victims of the Olympia breach question why WSU had their information in the first place. The university offered all potential victims a year of free credit monitoring, but Stephens said the exposure will hang over their heads indefinitely.
“There’s kind of a shock factor,” he said, “in the way this information was spread around and ultimately spilled.”
Data stolen in 2013, too
The Olympia burglary was not the first time someone managed to steal a hard drive containing personal information from a WSU department.
On a Monday morning in October 2013, employees returned to an office in WSU’s School of Biological Sciences on the Pullman campus and discovered four hard drives had been stolen over the weekend along with other items.
One employee reported the burglary to campus police, saying someone had rifled through her desk and taken a brand-new Dell computer monitor, as well as keys to a filing cabinet and her bag of Reese’s peanut butter cups. There was no evidence of a forced entry.
The employee was later placed on paid administrative leave because, school officials said, she had violated a cybersecurity policy by storing confidential data on an unsecured hard drive.
According to a report by the state attorney general’s office, which The Spokesman-Review obtained through a public records request, one of the stolen drives was known to contain the names and Social Security numbers of 108 school employees and former employees, and the same information for one former student. Payroll data on 263 other employees was compromised, too, but university officials didn’t know if it included anything that would be useful for identity thieves.
School officials acted quickly. The locks on the office were changed hours after the burglary was discovered. Passwords were changed and devices were encrypted. And, according to the attorney general’s office report, then-WSU President Elson Floyd ordered that all potential victims be notified by the following day.
A college dean, Daryll DeWald, who is now the chancellor of WSU’s Spokane campus, decided notification emails should be sent from his account so recipients would be less likely to mistake them for spam or a “phishing” attempt. The school mailed letters, too, and recommended victims freeze their credit with the three major reporting agencies.
“We are notifying you, so you can take action along with our efforts to minimize or eliminate potential harm,” the letters stated. “Because this is a serious incident, we strongly encourage you to take action now to help prevent and detect any misuse of your information.”
So why didn’t WSU notify the potential victims of the Olympia burglary more quickly? Several reasons, said Phil Weiler, the university’s vice president for marketing and communications.
For one, most of the information on the hard drive was stored in relational databases, Weiler said in an email. “We had to associate groups of names with addresses and Social Security numbers. This took a considerable amount of time and expertise from an outside firm.”
The hard drive was used to back up data stored at the Olympia research center. Using copies of that data, the security company Navigant employed a “brute force” method – basically, trial and error – to decrypt each file and figure out who was likely at risk.
“This task alone took a number of days,” Weiler said. “We also needed to print approximately 1.2 million individual letters and coordinate mailing with an outside mail house, arrange for credit monitoring for all individuals, stand up an outside call center to handle inquiries, coordinate with state agencies, develop scripts for WSU’s front counter staff in the event that they received calls (and) build the website.”
WSU working on cybersecurity
Sasi Pillay, WSU’s vice president for information technology services, said the school is constantly working to improve its cybersecurity.
“I always talk about IT security as a journey,” he said. “It’s not a destination. It’s not a place where you can arrive and everything is fine.”
He and chief security officer Tom Ambrosi said they’re taking a multifaceted approach that involves educating all students, faculty and staff about various types of cyberattacks. The most common at WSU, Ambrosi said, are “phishing” schemes in which hackers use phony emails to trick people into handing over sensitive information.
Some of them, he said, are “very targeted phishing attacks against specific individuals depending on what they’re after, whether it’s research or something else.
“We see a lot of those attempts. We see a lot of those every day.”
Additionally, Pillay said, WSU will require deans, chancellors, vice presidents and other higher-ups to keep better tabs on information stored by their departments. That way, he said, it will be easier for the IT department to spot vulnerabilities – like a storage locker in Olympia.