By
Lexie Krell
April 14, 2009
New Husky ID cards were issued to payroll coordinators Friday after UW Transportation Services and the UWPD confirmed early this month that a hacked server put personal information of UW staff, faculty and retirees at risk.
More than 6,000 names and Social Security numbers (SSNs) were compromised when a Transportation Services server was hacked in December 2008.
The ongoing investigation by the UWPD found that the server was hacked on Dec. 6. Upon discovering that the server had been compromised, it was taken offline and rebuilt before being restored behind the firewall.
“Because there was the chance that the information on the server was taken and that somebody intended to use it to do harm, it was our duty to notify the people who were affected,” said Josh Kavanagh, director of Transportation Services.
However, letters notifying individuals whose information was stored on the compromised server were not sent until late March, nearly four months after the information had been compromised. The complexity of the affected server contributed to this delay.
“It’s fair to say that this was a one-of-a-kind system,” Kavanagh said. “That made our effort to identify what was there and who we needed to be working with that much more difficult. We hope to be using more industry-standard software in the future.”
Kavanagh said the department realized something was amiss when an employee was unable to log in to the computer system.
“One of the first calls we made was to the office of the chief information security officer,” Kavanagh said. “They were able to validate that the system had been hacked.”
As Kavanagh understands it, the incident occurred after a vendor who works for the department changed the configuration of the system by moving the server outside of a firewall.
“It was not something that I would have authorized,” Kavanagh said. “The misconfiguration occurred while they were troubleshooting the issues associated with an update to the software.”
The storage of the SSNs on the department’s sever was related to the transition the university made in 2002 by replacing the SSN with an employee identification number (EID) on records and Husky ID cards.
“Prior to the adoption of the EID, the SSN was used for employee identification for Husky cards issued prior to 2002,” said Ann Gigli, the Husky ID card administrator. “The employee’s SSN is part of a longer number recorded on the magnetic strips of those cards.”
Because SSNs were used to identify employees prior to the transition, Transportation Services had the numbers stored on the server to access certain records. It is not believed that any student SSNs were stored on the compromised server.
“Transportation Services will not have to rely on SSNs after this month, and we will have them purged from our computers at that time,” Kavanagh said. “I’m working closely with other departments on campus to make sure that any lessons learned from this experience are applied to doing a better job of protecting sensitive information when we need to have it and making sure that we don’t have it when it’s unnecessary.”
Reach editorial assistant Lexie Krell at news@dailyuw.com.
7 Comments
#1 LightningEmpiricist
on April 14, 2009 at 12:37 a.m.(Seattle, WA | UW Community)
"New Husky ID cards were issued to payroll coordinators Friday ..."
LE: Seven years and three months after the UW *should* have issued new Husky ID cards to all affected persons as a prudent security measure (on Jan 1, 2002), it wasn't until KUOW reported Ed Lazowska, Professor of Computer Science and Engineering at UW publicly stated the following information about his own Husky ID card, and asked the following cogent question:
"So every time I swipe this thing, the card reader is reading my name and my social security number and the question is, what does it do with that information? How many computers at the University of Washington contain my social security number for no good reason?"
http://www.kuow.org/program.php?id=17258
that the UW finally did what they clearly made a deliberate choice not to do on Jan 1, 2002, that is - adequately protect the security of the affected persons' SSNs.
.
#2 LightningEmpiricist
on April 14, 2009 at 2:15 a.m.(Seattle, WA | UW Community)
" ... UW Transportation Services and the UWPD confirmed early this month that a hacked server put personal information of UW staff, faculty and retirees at risk."
LE: While it was known that UW Transportation waited until nearly April to comply with the requirements under RCW 42.56.590(1)(a) to disclose the information "in the most expedient time possible and without unreasonable delay", this article's statement:
" ... UWPD confirmed early this month that a hacked server put personal information of UW staff, faculty and retirees at risk."
implies that the UWPD's official position is that they had a role in the three months of delay - since their own police report indicates that "An initial on-site review by the UW on Dec. 30 showed "obvious signs of compromise ... ".
http://seattletimes.nwsource.com/html...
This (UW Daily) article also states: "The ongoing investigation by the UWPD found that the server was hacked on Dec. 6.".
Seattle Times reporter Nick Perry stated in his April 1, 2009 article that a public UWPD Police Report had been issued by April 1, 2009. Such a public report is not released until a police investigation is *closed*. Therefore, the statement that an "ongoing investigation" is in progress is a contradiction in terms.
The public deserves to know the exact beginning and ending dates of the UWPD "investigatory activities", why they (may have) taken so long a time to complete their investigation before issuing their public police report to the Seattle Times.
RCW 42.56.590(3) states that the notification requirements set forth in its Subsection (1)(a) can only be delayed if it is determined by a formally involved law enforcement agency that:
" ... the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.".
It is essential that The Daily further inquire of the UWPD how it came to be that their investigatory activities:
(1) (May have) taken three (or more) months to complete (between December 2008 and late March 2009); and
(2) (If so) exactly what was the UWPD's reasoning for any determinations made by them that prompt notification as required under RCW 42.56.590 (1)(a) could and would not proceed because it would have "compromised" or "impeded" a "criminal investigation" in progress; and
(3) (If a "criminal investigation" was indeed in progress), how *could* any such an investigation proceed on the basis of what Kirk Bailey alleged to the Seattle Times was a total lack of information that could be determined by any/all employees of UW Information Security: "Bailey said it is not known why the hacker or hackers wanted to get into the system or what they did once there.".
.
#3 LightningEmpiricist
on April 14, 2009 at 2:48 a.m.(Seattle, WA | UW Community)
"... letters notifying individuals whose information was stored on the compromised server were not sent until late March, nearly four months after the information had been compromised."
LE: Note that no adequate answer to these cogent and timely questions raised by the above fact appear within this article.
While the article's author states: "The complexity of the affected server contributed to this delay.", UW Director of Transportation Joshua Kavanagh makes no statements contained within the article which answer these core questions that the public and affected persons need to know.
"'One of the first calls we made was to the office of the chief information security officer,' Kavanagh said."
LE: And what was the date of that initial communication to UW Information Security?
Kavanagh: “They were able to validate that the system had been hacked.”
LE: Not less than a full 24 calendar days following Dec 6, 2008 (on Dec 30, 2008), according to the UWPD public disclosure to the Seattle Times that: "An initial on-site review by the UW on Dec. 30 showed 'obvious signs of compromise,' ... ".
http://seattletimes.nwsource.com/html...
It is essential that The Daily further inquire of UW Transportation to publicly disclose on what specific dates they initially actually contacted:
(1) UW Information Security; and
(2) The UW Police Department.
.
#4 LightningEmpiricist
on April 14, 2009 at 3:52 a.m.(Seattle, WA | UW Community)
"As Kavanagh understands it, the incident occurred after a vendor who works for the department changed the configuration of the system by moving the server outside of a firewall."
LE: This is an interesting and brand-new twist to be added to the information formerly disclosed to the Press (The Seattle, Times, KUOW). A third-party ("outside-entity") business separate from the UW is stated by Kavanagh as having been responsible for (intentionally) bypassing the computer network firewall in the course of providing their expert services to the UW. Thus, it would seem that the UW's official position (may) be that any/all breaches arose out of the knowing and willful actions of - "somebody else" other than the UW ...
In addition to the UW Privacy Officer for Main Campus, the UW employs a number of UW Privacy Officers to handle interactions with third-party contractors at UWMC who administer the security of similarly private and legally protected confidential personal information of their customers.
The UW's standard contractual agreement with these "outside-entities" specifically holds these companies liable for all damages arising out of any security breaches arising out of actions taken by such outside companies (including all costs of notification to affected persons). Take a look for yourself at:
http://depts.washington.edu/comply/do...
In the "Potential Data Security Breach" section of the UW's contractual agreement form, the contract specifically states:
"Outside Entity shall indemnify, hold harmless, and defend Covered Entity from and against any penalties, claims or damages arising from or pertaining to a breach of this agreement, or the violation of any state or federal law applicable to the use, disclosure or protection of personal information subject to this Agreement. Such indemnification will likely include the full costs of such notice to impacted individuals, including the costs to retain an outside consulting firm to undertake the effort."
(I am not an attorney, but one does not have to be an attorney to see that), regardless of whether or not the UW has such a contractual agreement with their third-party "outside-entity" computer network "vendor who works for the department" (as Kavanagh stated to The Daily), the University of Washington clearly remains the appropriate sole defendant to any future legal claims, actions, or proceedings that the (at least) 6000 affected persons may initiate or file in the future.
The fact that the UW may seek to recover civil damages and costs resulting from this breach (and any resulting civil claims, actions filed against the UW) from their "vendor who works for the department" is the UW's problem - and does not appear to present any impediment to the *UW itself* being sued for civil damages by any/all of the affected persons of this serious security breach of highly personal information. Do not let such tactics either confuse or discourage you!
.
#5 LightningEmpiricist
on April 14, 2009 at 4:21 a.m.(Seattle, WA | UW Community)
LETTER TO DEBORAH WANG, REPORTER, KUOW
Subject: Facts that the Public Still Needs to Know!
Dated: April 14, 2009
Deborah Wang:
The April 14, 2009 Daily of the UW article entitled, "New cards issued after server hacked: UW Transportation Services server compromised" at:
http://dailyuw.com/2009/4/14/new-card...
leaves relevant, timely, and important facts that the public and all affected persons both need to know, as well as deserve to know!
I strongly encourage both KUOW, as well as The Daily, to continue to follow-up their investigative efforts until the facts enumerated in my four comments posted on April 14, 2009 are fully, truthfully, and accurately answered by officials of the University of Washington.
It is my hope that the UW (as a source of funding for both KUOW as well as The Daily) will not either attempt to (or succeed in any possible efforts to), limit the scope or the breadth of your investigative journalism undertaken within the process of discovering these important facts that are all important matters of the public record!
Lightning Empiricist
.
#6 LightningEmpiricist
on April 14, 2009 at 4:37 a.m.(Seattle, WA | UW Community)
LETTER TO NICK PERRY, REPORTER, THE SEATTLE TIMES
Subject: Facts that the Public Still Needs to Know!
Dated: April 14, 2009
Nick Perry:
Regarding the issues and questions raised by your April 1, 2009 article in The Seattle Times entitled, "6,000 UW workers' personal information at risk":
http://seattletimes.nwsource.com/html...
please note that coverage by the Press has yet (to date), served to provide answers to a number of relevant, timely, and important facts surrounding the issues raised by your (initial) article!
See the following web-links of KUOW's and The Daily of the UW's publications:
http://www.kuow.org/program.php?id=17258
http://dailyuw.com/2009/4/14/new-card...
Lightning Empiricist
.
#7 LightningEmpiricist
on April 14, 2009 at 5:48 a.m.(Seattle, WA | UW Community)
AN IMPORTANT MESSAGE TO ALL AFFECTED PERSONS:
While it is all well and good that my "voice from the wilderness" is posting comments (on the Seattle Times article's Comment Forum as well as this The Daily article's Comment Forum) that ask many relevant and timely questions in need of complete, truthful, and accurate answers from UW Officials in these matters of the public record. You deserve no less ...
DO NOT assume that my (largely) "lone voice" (no matter how verbose) will (without YOUR involvement, too) necessarily lead to the "Press" ensuring that these relevant facts (that the public needs and deserves to know) are brought to the light of day!
If you are one of the affected persons in this matter of the breach of your - SAY SOMETHING, too! YOU are a critical component in the outcome of this matter!
You can (as I have) anonymously create any User Name that you like on the Seattle Times as well as this The Daily Comment Forums, and *demand* the answers that you (as well as your coworkers) need to know!
You can email the members of the Press who have (to date, so far) published articles about this serious matter, and strongly urge them to continue to investigate further! Let them know these things matter!
Here are their email addresses (in the order of their dates of their publications):
Nick Perry <nperry@seattletimes.com>
Deborah Wang <debwang@kuow.org>
Lexie Krell <subed@dailyuw.com>
DO NOT assume that because one person is making "lots of noise" (so to speak ... :) all you need to do is sit back and watch!
IN FACT the "Press" as well as UW Officials will only be moved to act (if and when) YOU get involved. I highly recommend that (if you want real results), make your voices heard! It's easy, it's anonymous, and the "identity" that you save may be your OWN!
Regards and Best Wishes,
Lightning Empiricist
.
Post a comment