PII of 1 million compromised in Washington State University safe heist

Letters from Washington State University (WSU) have begun to arrive in the mail boxes of approximately 1 million individuals whose personal identifiable information was compromised when a safe which contained a backup hard drive was stolen.

WSU learned on April 21, 2017 that a “locked safe containing a hard drive had been stolen.” The hard drive contained the backup files from WSU’s Social & Economic Science Research Center (SESRC). On April 26, WSU confirmed PII was compromised. On June 9, they began informing those affected and sending breach notification notices to various state’s Attorney General Offices.

In WSU’s public statement, they noted, “The drive contained documents that included personal information from survey participants, such as names, Social Security numbers and, in some cases, personal health information. Entities that provided data to the SESRC include school districts, community colleges, and other customers.”

Normally when we associate a breach of this size, we ascribe it to a hacking incident or other technological magic. In this case it was a physical theft, of the safe, which was serving to protect the data stored within. The university in its letter to the New Hampshire Attorney General’s Office (NHAGO) noted that not all (though apparently some) of the files on the hard drive were encrypted. 

The breach notification letter to the NHAGO, noted that the information compromised was “personal information from survey participants and individuals in studies done at SESRC. Personal information was provided by Washington State agencies, colleges and school districts, among others, which included names, addresses, Social Security numbers, and in a few instances other types of information.” 

The two sample letters sent to those affected, which were provided to the NHAGO, were crafted for the aforementioned survey participants and a separate letter to the parents/guardians of minors whose personal information was contained on the hard drive.

WSU noted, “the information on the hard drive had not been access or misused in any way.” How they know this was not shared.

One year of identity theft protection was offered to all affected. Furthermore, their public facing statements all emphasize WSU having taken steps to strengthen their IT operations. 

The IT department at WSU did almost everything correctly in their data backup scheme. They backed up their data and secured at least one copy in a safe, offline. Thus from a business continuity perspective, in case of a catastrophic event they were able to recover. The fact that adequate protection was not afforded to the safe is self-evident.

WSU also recognized their shortcomings in opting not to encrypt the entire hard drive, prior to storing. Encrypting the unattended, but “securely stored” hard drive would have rendered the theft of the safe and hard drive an event of much less magnitude. With the remediation costs of a data breach running at approximately $140 to $150 per record, this may well be a $100+ million event for WSU. 

WSU has provided a lesson to all entities that not all IT threats are technical, and that physical theft of data storage devices is a reality to be factored into each and every data protection and business continuity calculus.