Whether you've gotten a speeding ticket, a DUI citation, or gone before a judge in Washington, your personal information's been put into the statewide court computer system. So when hackers broke in recently, gaining access to the data of up to a million people, it was alarming.
“We regret what happened; we take full responsibility for it,” said Vonnie Diseth, Chief Information Officer for the Administrative Office of the Courts (AOC), when she announced the breach on May 9th.
Diseth blamed the breach on a software flaw that opened a cyber door for hackers, but has now been patched.
Mike Keeling, Manager of I.T. Operations and Maintenance for the Administrative Office of the Courts, said: “We had a breach. We had left some data vulnerable. We are going to do everything we can to make sure something like this doesn’t happen again.”
But the KING 5 Investigators have learned administrators were warned nearly two years ago, that the massive statewide computer system lacked many of the basic protections used by other government agencies and private businesses. Yet they failed to heed the warnings of the Information Security Officer they brought in to make recommendations. His name was Bill Brush, and he was hired in June 2011, to improve the computer system's security.
In a computer security information assessment written by Brush shortly after he was hired, he outlined key “areas of concern” and predicted that “exposure of protected data could result in financial, legal and reputation risks to the AOC and Washington courts.
“You can look back and say we should have been more aggressive in our implementation of security. And in hindsight that's obvious," Keeling said when asked about whether warnings were heeded.
Brush also rolled out 100-page Information Technology Security Plan and presented an Enterprise Security Program to the agency in the fall of 2011. He warned that the court’s password requirements were “relatively weak by industry standards.” And he recommended immediate fixes such as increased password complexity and encryption to prevent password cracking.
Those security enhancements weren’t done, so when hackers broke in through a software glitch in the public website a year later, they were able to crack open a stash of confidential files that were on the server.
Keeling said that the files were password protected, but not encrypted.
“Should have been encrypted, absolutely,” he said. “We can say nothing more than, it was an oversight and we’ve taken measures to make sure that it doesn’t happen again.”
King 5 asked internet security expert Christopher Budd, from Trend Micro in Bellevue, to evaluate the Information Technology Security Plan, dated October 2011.
“As security plans go, this was a good one; any company would be proud to have this,” Budd said. “What we’re talking about is a breach that was wholly avoidable, because they knew what to do. They have right here the means that would have prevented it from happening,” he said about the plan.
Why wasn’t the plan put into action? Top administrators made other projects a priority according to Brush, who resigned nine months after unveiling the massive overhaul. He left to become Security Administrator for the Health Care Authority, another state agency.
In his resignation letter, dated July 13, 2012, Brush wrote that “regrettably, AOC’s interest in developing a robust security program is not high.” Brush said that other projects were “clear priorities and security initiatives are not.”
Two months later, hackers breached the computer system through the public website. But without Brush’s plan, which called for continuous auditing, the AOC didn’t learn about the breach until February, and only then because they were notified by a business on the East Coast that had a similar intrusion and recognized AOC’s information.
“It (the computer system) was being attacked, and they did not know about it and someone outside their organization had to alert them,” said Budd.
According to Keeling, it was a wakeup call and the Administrative Office of the Courts is now bringing in a new team of outside experts to assess security, this time promising to act on the recommendations.
“If they say our password plan is too weak, we will change our password plan. If they say that our physical security needs to be increased, we're going to increase our physical security. We are dedicated to this and we are not going to stop short of making this as safe as we possibly can,” Keeling said.
Keeling said only the public website, not the Judicial Information System used by the courts was affected. He said the software glitch has been patched and security increased since the breach was discovered and that security measures are ongoing.
So far, letters have gone out to 94 people whose information was definitely hacked. They're being offered free credit monitoring. Keeling said hackers also had access to 160-thousand social security numbers and more than a million driver license numbers through the files on the server. That leaves many people still wondering where their information went and whether identity thieves will use it to go on a spending spree.