New Husky ID cards were issued to payroll coordinators Friday after UW Transportation Services and the UWPD confirmed early this month that a hacked server put personal information of UW staff, faculty and retirees at risk.
More than 6,000 names and Social Security numbers (SSNs) were compromised when a Transportation Services server was hacked in December 2008.
The ongoing investigation by the UWPD found that the server was hacked on Dec. 6. Upon discovering that the server had been compromised, it was taken offline and rebuilt before being restored behind the firewall.
“Because there was the chance that the information on the server was taken and that somebody intended to use it to do harm, it was our duty to notify the people who were affected,” said Josh Kavanagh, director of Transportation Services.
However, letters notifying individuals whose information was stored on the compromised server were not sent until late March, nearly four months after the information had been compromised. The complexity of the affected server contributed to this delay.
“It’s fair to say that this was a one-of-a-kind system,” Kavanagh said. “That made our effort to identify what was there and who we needed to be working with that much more difficult. We hope to be using more industry-standard software in the future.”
Kavanagh said the department realized something was amiss when an employee was unable to log in to the computer system.
“One of the first calls we made was to the office of the chief information security officer,” Kavanagh said. “They were able to validate that the system had been hacked.”
As Kavanagh understands it, the incident occurred after a vendor who works for the department changed the configuration of the system by moving the server outside of a firewall.
“It was not something that I would have authorized,” Kavanagh said. “The misconfiguration occurred while they were troubleshooting the issues associated with an update to the software.”
The storage of the SSNs on the department’s sever was related to the transition the university made in 2002 by replacing the SSN with an employee identification number (EID) on records and Husky ID cards.
“Prior to the adoption of the EID, the SSN was used for employee identification for Husky cards issued prior to 2002,” said Ann Gigli, the Husky ID card administrator. “The employee’s SSN is part of a longer number recorded on the magnetic strips of those cards.”
Because SSNs were used to identify employees prior to the transition, Transportation Services had the numbers stored on the server to access certain records. It is not believed that any student SSNs were stored on the compromised server.
“Transportation Services will not have to rely on SSNs after this month, and we will have them purged from our computers at that time,” Kavanagh said. “I’m working closely with other departments on campus to make sure that any lessons learned from this experience are applied to doing a better job of protecting sensitive information when we need to have it and making sure that we don’t have it when it’s unnecessary.”
Reach editorial assistant Lexie Krell at news@dailyuw.com.
Comments
Use the comment form below to begin a discussion about this content.
Sign in to comment
Or login with:
OpenID