Sensitive data on roughly 1 million people – including names, Social Security numbers and personal health information – were compromised in a burglary in Olympia earlier this year.
Washington State University researchers had stored the data on a hard drive and locked it in a safe in a storage facility downtown, a few blocks from their office. The data came from public agencies, including school districts and community colleges, said Phil Weiler, the university’s vice president for marketing and communication.
The rented locker was used to store backup data from WSU’s Social and Economic Sciences Research Center, which has two offices in Pullman and one in the state capital. The off-site facility might have been useful if information were lost or destroyed at one of the offices – in a fire, for example.
It’s not clear precisely when the safe was stolen, or if the burglar knew what was inside. It’s also not known if the burglar has gained access to the contents of the hard drive.
School officials discovered the burglary on the evening of April 21, when a researcher arrived at the storage unit to perform the routine task of putting a hard drive with up-to-date information in the safe. She was filling in for a co-worker, who usually visited the facility once a week but was out of town, according to a report by Olympia police.
The researcher said “everything appeared normal” and the combination lock on the storage unit “had not been disturbed,” according to the police report. But when she opened the door, the 15-by-15-inch safe was nowhere to be found. Weiler said the storage unit also contained office furniture.
He said school officials found evidence the lock had been tampered with.
“I know for certain we are in possession of the lock, and the lock is damaged,” he said.
An employee of Quality Self Storage, where the safe was stored, said the facility has no surveillance cameras. There are, however, exterior doors that must be unlocked with unique keypad codes before someone can access the door to a storage unit. Tenants supply their own locks for the units, the employee said.
Olympia police Lt. Paul Lower, a spokesman for the department, said no other burglaries at the facility were reported the day before or after the safe was stolen. He noted that most tenants don’t visit their storage lockers often, and probably wouldn’t notice a break-in immediately.
The WSU research center specializes in statistical analysis and often is hired to study topics like academic success and employment rates, Weiler said. Other institutions provide data, such as students’ Social Security numbers, so that researchers can track individuals, he said.
According to its website, the center collects “data from millions of people worldwide” and touts “the degree of care with which we meet our clients’ needs.”
The center lists among its clients the U.S. Department of Agriculture, the Census Bureau, the National Park Service, the Bill & Melinda Gates Foundation, the Washington Legislature, Eastern Washington University, the University of Idaho, and the school districts in Wenatchee and Moscow, Idaho.
On April 26, five days after the burglary was discovered, WSU officials confirmed which files were on the hard drive and launched an investigation. They hired Navigant, an international cybersecurity and corporate consulting firm, to sift through the text files, spreadsheets and relational databases, and determine how many people might be affected.
“There was quite a lot of work that needed to be done to get that list,” Weiler said. “It was a pretty big task.”
In a statement this week, WSU President Kirk Schulz said the university is notifying anyone who may be affected and offering a year of free credit monitoring and identity-theft protection services.
“I deeply regret that this incident occurred and am truly sorry for any concern it may cause our community,” he said.
The school also recruited an Ohio call center to answer questions about the breach. Those who believe they may be affected can call (866) 523-9195 on weekdays between 8 a.m. and 6 p.m. PDT.
In April 2015, WSU officials announced the school’s computer systems were targeted by hackers who may have stolen login information for many university email accounts.
In that case, officials likewise delayed their announcement of the hacking to the public by several weeks, saying that they did not want to alert the perpetrators to the ongoing investigation.
Weiler said the university would conduct a “top-to-bottom” review of its IT systems and cybersecurity practices, and take steps to prevent future breaches.