When thieves broke into an Olympia storage locker in April and hauled away an 85-pound locked safe, they set in motion a series of events that forced Washington State University to send letters to 1 million people advising them their data might have been compromised.
The safe contained a computer hard drive – a backup containing personal information, including Social Security numbers, that was stored off-site by WSU’s Social & Economic Sciences Research Center. The center, a research arm of the university, contracts with state agencies to evaluate the quality of the data those agencies are collecting, said Phil Weiler, vice president for marketing and communication at WSU.
WSU doesn’t have any idea if the thieves were able to break into the safe, if they know what to do with the hard drive, or if they’re able to interpret the data, which is stored in a relational database that requires some expertise to unravel, Weiler said.
In addition, some of the files were encrypted, and some were password protected, he said.
But there’s certainly a chance they’ll figure it out, which is why WSU hired a computer-forensics firm to determine what data had been backed up onto the hard drive. This month, WSU sent letters to 1 million people warning them of the breach. The university is offering those affected a year subscription to free credit-monitoring and identity-theft protection.
The data includes names and a mix of personal information, including Social Security numbers for some of those affected. Some of it comes from school districts who track their students after graduation to find out if they’re going on to college, or getting jobs, Weiler said. The research center also has contracted with state job-training programs that track their clients to see if they were able to find employment.
Some people who got the letter found it hard to believe that WSU had their data and questioned whether the letter was legitimate.
Weiler said the hard drive contained data from 1998 to 2013. Some of the research center’s work includes long-term studies that track participants over many years.
Weiler said the theft is causing WSU to do a “top to bottom” review of its information- technology practices and policies, including where and how it stores backup hard drives, and also how it handles personal information.
It’s not clear how much that will cost WSU, but some of the cost will be covered by the university’s cybersecurity insurance, Weiler said.
Some people who got the letter found it hard to believe that WSU had their data and questioned whether the letter was legitimate. It is signed by WSU President Kirk Schulz, who wrote, “As president of Washington State University, I deeply regret that this incident occurred and am truly sorry for any concern it may cause you.”
The letter also says the hard drive contained personal information “from some survey participants,” which has confused many callers who say they never participated in a WSU survey, Weiler said. He described the use of the word “survey” as a social-sciences term that does not mean the same thing as a personal survey administered to an individual.
The university has set up an assistance line, 866-523-9195, which is operating Monday-Friday between 8 a.m. and 6 p.m. to answer questions about the data breach. It has also posted information on its website at wsu.edu/security-incident/.