Over 2,000 social security numbers may have been leaked at the end of March when a Seattle University employee lost an unencrypted laptop on a King County Metro bus. Seattle U released a public statement, confirming that the error may have compromised the identities of these current and past faculty members and their dependents. The university has contacted everyone whose information could have been leaked.
Chief Information Officer and Vice President of Information Technology Chris Van Liew, along with Vice President for Human Resources Michelle Clements, said that the university has since enacted new measures and doubled down on previous policies to prevent a breach like this from occurring in the future.
“In the follow-up from that, we have looked at things like encryption, so we’re ensuring that the laptops and desktops on campus are all encrypted,” Van Liew said. “I have an active project with some help to get that done quickly.”
Encryption serves as a lock to data and only certain people have the key. It prevents unauthorized users from accessing information. In the case of the lost laptop, the email file containing the personal information of faculty members was not encrypted.
Regarding how the faculty member received the file, Van Liew said that it was a case of human error on behalf of a third-party vendor. The vendor had accidentally sent the file through an email to Seattle U.
The vendor recognized the incorrect file and alerted the Seattle U employee, leading to the intended deletion of the email. However, because Seattle U no longer has access to the device, they cannot confirm that the email was in fact deleted. As a result, Seattle U is assuming the worst: that the file containing social security numbers was on the device when it was stolen.
Many believed that the vendor should not have had that information in the first place. However, Van Liew said that the information was in the correct hands the entire time; both the vendor and the employee were authorized to have access to those social security numbers.
“The vendor had every right to have the data they had,” Van Liew said. “The employee had the business reasons to have access to that data as well. It was the wrong file sent in the wrong way.”
In regards to how the file was handled upon receiving it, Clements explained the actions that were taken on the employee side and the follow- up with the vendor.
“The person on the Seattle U side, immediately when they opened that email, realized that it was problematic and contacted the vendor about it,” Clements said. “We have certainly taken a number of steps with the vendor in terms of what has transpired now, all the way up to discussing some legal ramifications as a result of this.”
Van Liew and Clements are dedicated to ensuring that the chances of information being lost again are low. However, in the cybersecurity field, eradication of risk is not guaranteed because everything is constantly changing, and Van Liew said that it is more of a game of probabilities.
Lowering the risks of data breaches does not stop at encryption. There was a replacement project of multiple different systems at Seattle U with the end goal to eliminate the need to send data. The data will be more cohesive and secure in systems of records, where the data does not leave the systems. There was also a data governance committee chartered by Seattle U. This committee determines what information goes where and who has access to it. Van Liew has additionally hired a Director of Cybersecurity and Risk to help prevent incidents like this.
Of course, there is a concern beyond losing a device with files on it as well. Phishing scams can occur through opening seemingly-normal emails. In response to user safety, Clements said Seattle U prepares for those situations.
“Everyone is required to take online training every other year. That includes a module on data security. It is to refresh everybody—if you’ve been here 25 years or two years—what are all the things we need to be thinking of as we have hackers out there just to ensure we’re all smart users,” Clements said.
Those involved have been notified and offered a one-year membership of credit monitoring and identity protection.
Clements acknowledged Seattle U’s accountability and affirmed the university’s commitment to protecting the community’s data.
“This is a very serious situation. We view ourselves as an employer as that it’s our job to protect that data,” Clements said. “We cascaded a whole array of actions because we’re responsible. We are responsible for that data.”
Michaela may be reached at
[email protected]