Washington State University Data Breach Teaches Valuable Cybersecurity Lesson (Editorial)

Officials at WSU — and every other university and college, as well as state agencies — should learn a valuable lesson from the very expensive and embarrassing experience.

by Walla Walla Union-Bulletin, Wash. / July 13, 2017
Earlier this year, WSU had a backup hard drive containing confidential information that was stored in, as described by a Seattle Times reporter, “a $126-a-month, 8-by-10 self-storage locker in Olympia, inside a $159, 86-pound safe that you can buy at Home Depot.” Shutterstock

(TNS) -- When it comes to cybersecurity, Washington State University Couged It — big time.

And now officials at WSU and every other university and college, as well as state agencies, should learn a valuable lesson from this very expensive and embarrassing experience.

Earlier this year WSU had a backup hard drive containing confidential information, including Social Security numbers, from more than 1 million people. The hard drive was stored in, as described by Seattle Times reporter Erik Lacitis, “a $126-a-month, 8-by-10 self-storage locker in Olympia, inside a $159, 86-pound safe that you can buy at Home Depot.”

Not the kind of decision that swells confidence in state government.

The storage facility is a few blocks from the WSU’s Social and Economic Sciences Research Center, which is why many of those whose data was compromised were not necessarily former WSU students.

“You use a storage locker for old mattresses and crappy furniture, not personally identifiable information,” cybersecurity expert Bryan Seely told Lacitis. “A lot of people have access to those facilities. Once you’re through the main gate you generally have access to every door in every storage unit.”

Putting the info in a safe wasn’t particularly bright either.

“Now you’re not at the crime scene. You have all the time in the world to crack it open.” Seely said.

Given that no other storage unit at the facility was burglarized, it indicates that the data was the target of the break in. Somebody wanted the information.

To be fair, those who made the decision to keep the hard drive in the storage unit could not have envisioned someone breaking in and hauling away the safe. In hindsight, of course, the vulnerability seems obvious.

WSU did have insurance for a security breach. It will pick up the tab, which will be several hundreds of thousands of dollars, after the $150,000 deductible.

WSU has sent letters to the million-plus folks whose information was in the hard drive, to offer them free credit monitoring. Postage alone is expected to be in the $400,000 range.

The university is now going to do a “top-to-bottom” assessment of its computer-security practices “to help prevent this type of incident from happening again.” Good idea. Might be a good thing for other schools and state agencies to do.

The unbelievable is now reality, and a result precautions that once seemed overzealous are now prudent.

WSU learned a hard lesson, but it’s one we can all benefit from.

Editorials are the opinion of the Union-Bulletin's Editorial Board. The board is composed of Brian Hunt, Rick Eskil, James Blethen and Alasdair Stewart

©2017 Walla Walla Union-Bulletin (Walla Walla, Wash.) Distributed by Tribune Content Agency, LLC.