Michael Bahnmaier of Wichita is seeking class action status in the lawsuit, which accuses the university of negligence in keeping and storing sensitive data, waiting too long to alert potential victims about the hack, and “knowingly and deliberately” enriching itself by not paying for security measures that would have guarded against the breach.
WSU in an emailed statement said it thinks the lawsuit is frivolous.
Hackers over a three-day period starting Dec. 3, 2019, targeted a historical database where WSU kept the names, email addresses, birth dates and Social Security numbers of students, some of whom attended classes 20 or more years ago.
WSU quickly learned that the computer server, which was used to run student and employee web portals, had been accessed by “an unauthorized person” and “immediately secured” it, the university wrote in a March 6 letter to those whose information was compromised. The school “engaged a leading computer forensic firm” to investigate the breach’s scope and impact.
The letter says a “comprehensive review” of the server found by Jan. 13 that the historical database had been targeted.
But the university didn’t tell former and current students for nearly two months after that — a “unreasonable delay” that prevented victims from taking early steps to mitigate harm, the lawsuit contends.
“WSU sat on the information for four months (total), and it had no explanation for why it was keeping unsecured data on a server for 20 or more years,” Bahnmaier’s attorney, Bill Federman of Oklahoma City-based firm Federman and Sherwood, said in a phone interview with The Eagle.
“Forget about the gold standard of security. This isn’t even the bronze.”
WSU, in an emailed response to questions posed by The Eagle, said it had recently learned of the class action suit and is “fully evaluating the legal claims and causes of action.”
However, “we do not believe the lawsuit has merit,” the university’s statement said.
“The university has no indication at this time that personal information was misused. However, the university takes the protection of the personal information of each and every member of its community very seriously and is offering a year of identity monitoring services to potentially affected individuals.”
In the March 6 letter to affected current and former students, WSU said it “immediately took steps to respond” to the breach, including working with outside experts to determine its nature and scope. The letter also offered 12 months of identity theft protection services through ID Experts and said WSU was “taking steps to enhance our existing security protocols and re-educating our staff for awareness on these types of incidents.”
But Federman says 12 months of monitoring services isn’t enough because the lag time between a breach and when stolen data is sold for nefarious purposes is often longer, years in many cases.
Victims “need to be vigilant because it’s simply a matter of time,” he said. “And they need to protect themselves because, clearly, the government agencies are not doing it for them.
Bahnmaier, who attended WSU within the past 20 years, has already spent “considerable time” reviewing his personal accounts and monitoring his credit since he learned of the breach, the lawsuit says.
He’s also noticed “a notable increase” in suspicious, phishing emails since the hack, it says.
At the time WSU notified students of the breach, the university did “not have any evidence of actual or attempted misuse” of students’ stolen information, the March 6 letter says.
Bahnmaier’s and others’ personal information “is now in the hands of cybercriminals,” putting them “imminently at risk of crippling identity theft and fraud,” the lawsuit says.
“This has been distressing to him and has caused him anxiety. He feels that any day his identity may be stolen and has spent time investigating and responding to the Data Breach.”
It adds: “WSU should be held responsible for the damages it has caused.”
The security breach isn’t the university’s first. In January 2019, The Eagle reported that three WSU employees lost their paychecks after they were targeted by computer hackers in an email phishing scheme.
Given the earlier breach, WSU’s failure to take steps to protect sensitive data amounts to “a flagrant disregard of its employees’ and students’ rights, both as to privacy and property,” Bahnmaier’s lawsuit says.
“They know they’re under assault by people trying to hack. This is not a one off,” Federman said. “And rather than fund the money to adequately protect its students — its customer client base — they are directing the money elsewhere.
“People do expect to be protected. That’s part of what you’re paying for.”
The suit, filed in federal court in Kansas on May 14, seeks monetary damages and a jury trial.
©2020 The Wichita Eagle (Wichita, Kan.) Distributed by Tribune Content Agency, LLC.
