More than four months after Ohio State revealed the largest data breach in higher education history, officials responsible for protecting the university’s electronic information remain silent as evidence of internal disputes arise and the investigation continues.
On Oct. 22, the university discovered that a server, which fell under the responsibilities of the Office of the Chief Information Officer, had been breached and the identities of about 760,000 people had been jeopardized.
On Dec. 15, the university notified current and former faculty, students, applicants and others affiliated with the university that a hacker had accessed the server containing their names, dates of birth, addresses and Social Security numbers.
However, Kathleen Starkoff, the university’s Chief Information Officer and Steve Romig, associate director of Information Technology security in the CIO’s office, have no email records containing the phrase “data breach” before Dec. 5, according to documents obtained by The Lantern through open records requests.
Obscurity shrouds the issue, as university spokesman Jim Lynch serves as OSU’s voice on this matter.
Contacts from the university’s IT department, including Starkoff, Romig and Charles Morrow-Jones, director of IT security, refused comment and referred The Lantern to Lynch.
“If we had everyone in the world saying ‘Well, this happened and this happened, and by the way, we found out that X, Y or Z,’ then we do create a security breach,” President E. Gordon Gee told The Lantern on April 13. “Transparency is an enemy when it comes to those kinds of issues.”
Doug Pollack, chief marketing officer at IDExperts, a data breach solution provider in Portland, Ore., said agencies are rarely silent about data breaches.
“Organizations, generally speaking, try to go out of their way to be overly communicative,” Pollack said. “Keeping it quiet isn’t typically a common practice.”
Emails show IT officials were told not to discuss the breach after it had been made public.
On Dec. 16, the day after the public was notified, Vincent Juodvalkis, the systems manager for the department of electrical and computer engineering, sent out an email on a list that includes about 1,200 IT professionals at OSU asking for details on the breach.
“As someone who will surely be on the list of affected persons, I have a personal interest in knowing what happened. Not for the least because I don’t actually consider ‘no evidence’ that any of the data was actually taken to be the same thing as ‘no data was actually taken.’ The two are not equivalent,” Juodvalkis said in the email. “I’d be rather ticked that my data was not protected correctly and that the central IT groups were not living up the standards that they expect the rest of us to live up to.”
The same day, Catherine Bindewald, communications director in the office of the CIO, sent an email to several of her co-workers, including Starkoff, telling them not to respond.
“A strong word of caution – do not bite – no response from anyone from our organization please,” Bindewald said.
But in a following email that day, Morrow-Jones suggested to Bindewald and Romig to reply.
“It might be worth a reply, even if the reply only acknowledged the note, and says the matter is under law enforcement investigation (which is true) so we can’t say anything further,” Morrow-Jones said in the email.
The Lantern found no email evidence of a reply to Juodvalkis, and he declined to comment.
“I’m sorry, I really can’t talk,” Juodvalkis said during a brief interview in his office on April 14.
Juodvalkis’s email only came to light after several public records requests. After The Lantern requested and received redacted emails to and from Starkoff containing the term “data breach,” it submitted the same request for Romig’s emails. Juodvalkis’s email was included in Romig’s emails, but not in Starkoff’s, although she was CC’d in the email chain.
Lynch told The Lantern April 14 that this email was not included in Starkoff’s provided emails because she was only CC’d in the email.
“Our record retention policies allow individuals to delete transient emails where they are not the author or the primary recipient of the record,” Lynch said in an email.
Those retention policies weren’t the only information barrier. Attorney-client privileges redacted large portions of the first group of Starkoff’s emails Lynch sent to The Lantern on March 14. After The Lantern told Lynch the redactions were too extreme, he provided more of Starkoff’s emails on March 29. Lynch also said records of disciplinary action taken with the IT staff since the breach could not be provided because the investigation is ongoing.
Gee said the university did not have to notify the public of the breach.
“The university was very transparent about this,” Gee told The Lantern. “The truth of the matter is we did not have to notify.”
But Ohio Revised Code 1347.12, agency disclosure of security breach of computerized personal information data, says any agency that owns computerized data housing personal information must disclose any breach of the security system to those whose information was reasonably believed to have been accessed by an unauthorized person.
“We don’t believe we were legally required to notify pursuant to the statute,” Lynch said in an email Friday. “But, we took a cautious approach and did anyway.”
Pollack said breach notifications are necessary.
“That’s required by law, they’re not doing that because they’re good guys,” Pollack said. “And what they’re offering in the notification letter is up to them.”
ORC 1347.12 also states that if a breach does occur, the agency must notify those affected within 45 days. The public was notified 54 days after the OSU breach occurred.
“The start date is not an easily defined point,” Lynch said. “It took us time to identify whether or not any sensitive (data) was on the system, time to determine whether that data was data covered by the statute, and then time to analyze whether or not the data was subject to expose. Therefore, we were well within the 45-day period.”
Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer advocacy group, said every state has its own data breach law, and notification times vary.
“In many situations, it does take months before there is an actual notification … (but) it shouldn’t,” Stephens said.
Pollack agreed that notification time can vary because of differing circumstances and laws. “On average, it’s about 45 days,” he said.
Gee told The Lantern he didn’t learn of the breach long before the public. He said he was notified probably about Dec. 12 or 13, although Lynch said it was probably earlier.
“I’m a very quick mover once I find out about something,” Gee said. “Even before I was notified, they had already called in the troops to make sure that they knew what was going on.”
The university sought to strengthen its IT security in hiring two computer security consulting firms, Interhack Corp., based in Columbus, and Stroz Friedberg LLC, a New York-based firm.
Representatives from both companies declined comment and referred The Lantern to Lynch.
In December, university officials said the breach would cost OSU about $4 million in expenses related to investigative consulting, breach notification, credit security and a calling center for anyone with questions or concerns.
But costs are expected to exceed the university’s $4 million budget.
According to an estimate Lynch provided, OSU budgeted $200,000 and $22,000 for Stroz Friedberg and Interhack, respectively. Additionally, $100,000 was budgeted for Vory’s, a legal consultant, and $50,000 for Adelman, a communications consultant.
For Experian, the incident notification consultant, OSU put aside $3.7 million, bringing the total estimated cost to $4.1 million. The university’s operating funds will go toward the costs, Lynch said.
OSU hired Experian to provide year-long credit protection for those affected. OSU bought 500,000 activation codes from Experian, costing $3.19 each, for a total of nearly $1.6 million.
Of the 500,000 available activation codes, fewer than 64,500 people have enrolled in the credit monitoring service. The activation codes do not expire, however, until June 30.
“The fact that there have been very few people (to sign up for the protection) … shows that there is not a great deal of concern about it,” Gee said. “And, by the way, we have no evidence that anyone due to this was ever adversely affected.”
But the number of those who enrolled in credit monitoring is more than the 56,064 OSU students, according to OSU’s statistical summary sheet provided by the University Registrar.
The Lantern is still awaiting subsequent requests for information.
“There are rumors flying wild,” Juodvalkis said in his email. “The silence on this list has been deafening.”