SPOKANE, Wash. (AP) — Washington State University faces a class-action lawsuit over allegations that its negligence led to a burglary that put the names, Social Security numbers, health records and other personal data of nearly 1.2 million people at risk.
University researchers had the data on a hard drive that they kept in a safe at a downtown Olympia self-storage facility. Last April, burglars stole the safe.
The Spokesman-Review reports the lawsuit filed in King County in December consolidates several complaints that were filed separately after the confidential information was stolen. The lawsuit claims the university violated the state’s Consumer Protection Act, which requires prompt disclosure of personal data leaks so victims can take steps to protect themselves.
The hard drive belonged to the Social and Economic Sciences Research Center, an arm of the university that conducts long-term studies on education and career trends.
The center specializes in statistical analysis and often is hired to study topics like academic success and employment rates, Phil Weiler, the university’s vice president for marketing and communication, has said. The data came from public agencies, including school districts and community colleges, he said.
Following the burglary, the university hired a security firm to determine whose data was compromised. On June 9, seven weeks after the breach was discovered, the university mailed out notification letters.
David Minnery, of Seattle, received one of those letters. He said it was unfathomable that researchers stored private information at a self-storage facility with no surveillance cameras.
“It’s a joke,” Minnery said of the 8-by-10-foot (2-by-3-meter) locker. “You put a little Master Lock on those things. You’re storing household goods you don’t have room for in your garage. It’s not where you store our personal information. It just shows you how little value they placed on it.”
No one has been charged in the burglary. Some of the files on the hard drive were encrypted, and some were password-protected. University officials said they have no evidence the data has been misused or accessed by a criminal.
The university is offering all potential victims a year of free credit monitoring.
Weiler said the university didn’t notify potential victims more quickly because it took time to figure out who was at risk.
Most of the information on the hard drive was stored in relational databases, Weiler said in an email. “We had to associate groups of names with addresses and Social Security numbers. This took a considerable amount of time and expertise from an outside firm.”
The hard drive was used to back up data stored at the research center. Using copies of that data, a security company employed a “brute force” method — basically, trial and error — to decrypt each file.
“This task alone took a number of days,” Weiler said. “We also needed to print approximately 1.2 million individual letters and coordinate mailing with an outside mail house, arrange for credit monitoring for all individuals, stand up an outside call center to handle inquiries, coordinate with state agencies, develop scripts for WSU’s front counter staff in the event that they received calls (and) build the website.”