Thursday, May 14, 2009

The West Virginia State Bar Has Posted An FAQ on Its Recent Data Breach

The West Virginia State Bar has posted an FAQ on its recent data breach.


By now, most members of The West Virginia State Bar have received either one or two emails regarding the security breach at the State Bar website. If you received only one email, as far as the State Bar is aware, your social security number was not in the State Bar's database. Approximately 4,000 of the 7,000 State Bar members received a second email advising that we had your social security number was in the State Bar's database. As of this date, the State Bar has no knowledge that the hackers have looked at any personal information in the State Bar database and the State Bar has received no reports that any of its members have suffered any identity theft. Nonetheless, and out of an abundance of caution, the State Bar provided an alert to each of its members regarding this security breach. This alert has led to numerous questions which the State Bar has attempted to answer below so that all of its members will continue to be informed about this situation.

1. Does the Bar have any idea of how this could happen?

In late 2006 or early 2007, the State Bar determined that it needed to upgrade its computers, its network, its member database, and its website. All of these were hosted by the State Bar onsite. Since 2007, the State Bar has been working with computer consultants to upgrade the computers, network and security at the State Bar. The upgrade process has been hampered by the existence of an outdated Linux server, and an unsupported FoxPro database containing member information. Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen.

In working with the computer consultants, it was learned very recently that outside computer hackers were able to enter the State Bar computer system through the Linux server and State Bar website. From there they create access to the remainder of the State Bar network, including the member database. It is not possible for the computer consultants to determine whether the hackers did or did not look at the member database, they can only advise that the hackers had the opportunity to look at any and all computer data on the State Bar's network.

2. What will the State Bar do to make sure this does not happen again?

The State Bar has now shut down its Linux server and its website. The Linux server will be eliminated. All hard drives in the State Bar network and individual work stations were replaced. The hard drives are being turned over to the Federal Bureau of Investigation. The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner. These steps combined should prevent similar security breaches in the future.
The State Bar has worked with its computer consultants to delete all social security numbers from the FoxPro database and no records will be kept in the future regarding social security numbers.

3. Why did the State Bar have my social security number and when did it get it?

At various points in time prior to 2007, the State Bar collected social security numbers. Many people provided this information at the time they were admitted to the State Bar. In addition, some social security numbers were collected by the State Bar when the West Virginia Supreme Court of Appeals first considered the possibility of e-filing. More recently, members provided social security numbers at the time they applied for a photo identification card. Beginning immediately, all communications regarding the applications for new photo identification cards will be via U.S. Mail and in paper form. No electronic records will be kept by the State Bar.

4. Did the State Bar have my social security number or not?

The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service.

5. Why did the State Bar wait so long to notify me of the breach?

The State Bar acted very quickly after the computer consultants advised The Bar of the potential for a security breach. The State Bar Linux server and website were immediately brought down. The Linux server housed the State Bar's listserv which was its prior method of communicating with all members.
The State Bar's Board of Governors was advised of the security breach and it authorized the dissemination of a press release. The Supreme Court of Appeals of West Virginia was contacted and provided technical assistance in sending out a press release advising of the compromise of the State Bar's network. During this time, the State Bar did not have any ability to mail or email its members as its membership database was inaccessible. The State Bar has now created a new email system to communicate with all members of the State Bar that have their emails on file. The State Bar sent an email to its members within a few hours of its membership database and email listserv being reinstated.

6. What information did the hackers get in the security breach?

It is not possible for the computer consultants to advise the State Bar that any information was reviewed during the security breach. The computer consultants can only advise that the outside hackers had access to the member database and all other data on the State Bar network. The computer consultants reviewed the data in the member database. They have advised that it is not infected with any virus.

7. Why wasn't the site secure?

The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future.

8. Did the State Bar report this to the credit reporting agencies?

The State Bar has notified the credit reporting agencies of this security breach. The State Bar has also provided the contact information for all three major credit reporting agencies to our members and it has encouraged each member to separately contact those agencies.

9. Is the State Bar going to pay for my credit monitoring costs?

Some State Bar members have requested the State Bar to pay for credit monitoring. Unfortunately, the State Bar has no unallocated funds to pay for any credit monitoring services. To put such a program in place could require an assessment of the members as a whole. Given the lack of any reported identity theft affecting any of its members, the State Bar believes that a special dues assessment to pay for this credit monitoring is an unnecessary expense for its members at this time.

10. Has this been reported to a law enforcement agency so I can file a 7 year report?

Yes, this matter has been turned over to the Federal Bureau of Investigation. They are conducting a formal investigation of the security breach. Within the next few days, it is anticipated that the FBI will begin its forensic analysis of the removed hard drives. The FBI has assured the State Bar that it will pursue location and prosecution of the individual or individuals who breached the State Bar's system.

11. Will we be advised of any information the State Bar receives from the FBI?

Yes, the State Bar will keep its members up to date regarding any public results of the FBI investigation.

Since 2007, the State Bar has been working to correct the flaws in the old computer system and to insure that a completely safe and fully operational system is up and running as soon as possible. The State Bar regrets any inconvenience to its members.

Labels: ,


Post a Comment

<< Home