Wayland Computer Security: Delays Lead to More Risk
Remember when hackers broke into the Wayland Finance Office last January, and almost stole $4 million of our taxpayer money? The Board of Selectmen hired three IT consulting firms to assess the problem: Elysium, Advent and McGladrey. Over $100,000 was spent. So you are probably thinking, "They took care of it, to stop the hackers."
Unfortunately, significant computer security problems have not been fixed – even though these problems were highlighted in Elysium’s investigation, Mike McCann’s (Advent Consulting) report to the Wayland Board of Selectmen on 13 July, and McGladrey's first report in August. Most of the “high priority” security upgrades recommended in the McCann and McGladrey reports have not been funded, scheduled or even planned.
Risk and potential cost to Wayland taxpayers:
Without appropriate security protection, hackers can easily take complete control of a Wayland computer via the internet, steal data, plant malware and spy on users – from inside Wayland’s network firewall. The computer becomes a ‘zombie’ that hackers control remotely to launch a wide range of criminal schemes.
These security flaws put the entire Wayland network at grave risk – including confidential date for over 20,000 current and former Wayland residents, students, teachers and staff. If this data was stolen, the cost of notification and identity theft protection for every affected person – plus likely financial liability from lawsuits – would easily run into the $millions for Wayland taxpayers.
A number of these computer security issues are so severe that I cannot describe them on the WEN site. I sent confidential letters to the Board of Selectmen, Finance Committee and School Committee with more details. As a member of the FBI / DHS InfraGard program, I also offered to meet with them in Executive Session to review the risks and solutions.
Solutions are clear:
Elysium, Advent Consulting and McGladrey gave clear recommendations that the Wayland Board of Selectmen should follow. Based on their expert advice, Wayland should immediately allocate $500,000 from the ‘free cash’ fund to cover the cost of implementing all of the security fixes, ASAP.
If Wayland does not have enough trained IT staff to quickly implement all of the security upgrades, they should hire an IT services company to install them, and operate / manage the systems if necessary. This is McGladrey's first "high priority" recommendation -- #1 at the top of their list.
Shifting $500,000 out of free cash may not be popular politically in Wayland vs handing this money back to taxpayers. (Wayland currently has more than $4 million in 'free cash'.) The Wayland Board of Selectmen, Finance Committee and School Committee need to show leadership. With reports from Elysium, McCann and McGladrey in hand, they can explain to Wayland taxpayers why quick action is necessary. Delay will not be cheaper. Wayland will have to pay for these security fixes now or later, and if there is another breach we could all end up paying much more.
If the present course continues:
If the Board of Selectmen do not take action now, the Town may vote on another round of computer security upgrades at the next Annual Town Meeting in 2016, followed by RFPs in May and June, for implementation (best case) over the summer. This would be a full 18 months since the attacks in January of 2015.
Wayland will remain very vulnerable all the while. If, heaven forbid, there is another breach, Wayland taxpayers could easily be liable for $millions in financial damages and mitigation costs. Imagine the case a plaintiff's attorney could make, "They knew, and they had the resources but...."
There is nothing to be gained by delay but more risk.
There is some good news:
(1) The Wayland School Committee did not wait to fix a major security problem. After the hacking attack, they launched a project to replace old Apple computers that could not be upgraded with a current version of Mac OS X -- a major security issue. They issued RFPs, picked the least expensive option and signed the agreement in July. All of the new computers and upgrades were installed over the summer. This significantly improved security for Wayland Public Schools.
(2) Wayland IT and the Finance Committee drafted a Capital Improvement Project (CIP) for the November Town Meeting, based on the first report from McGladrey. They included only 3 of McGladrey's 7 "high priority" upgrades, however, so this is a 1/2 step forward. The Board of Selectmen need to take quick action to fund and implement the rest.
Documents are attached:
I attached a copy of the July 10 report to the Wayland BoS from Mike McCann (Advent Consulting) which includes his assessment and recommendations, and my public letter to the BoS.
Please let me know if you have any questions.
Last edited by MarkHays; 10-17-2015 at 02:29 PM.
Update: No action -- so another letter to the Wayland Board of Selectmen
Everyone is still waiting for the "final" (second) McGladrey report on Wayland IT problems and solutions, which is now due at the BoS meeting on Monday, 26 October. This will be the fifth report that the BoS and Town management have received following the attacks on the Finance Department last January, starting with the FBI / DHS report on the attack, the Elysium report on things that need to be fixed, the McCann report on 13 July that listed things that still need to be fixed, and the first McGladrey report in August with recommended fixes and changes. Believe it or not, none of the major security solutions recommended in these reports have been installed.
So, I just sent another confidential letter to the members of the BoS, Finance Committee and School Committee, plus Dr. Paul Stein and Nan Balmer, focused on one major security problem that needs to be solved. Perhaps this will prompt some action. A public version of the letter is attached; unfortunately I cannot include the details in the public WEN forum. Please trust me: this is a very significant, well-known issue -- with an obvious solution. Currently, however, there is no budget, plan or schedule for implementation.
Please let me know if you have any questions.
McGladrey report delivered: Wayland needs to spend $500K on high priority upgrades
The final McGladrey report is finally in, delivered to the Board of Selectmen on Monday the 26th of October. A copy is attached. Here are a few highlights:
- 10 High Priority upgrades: McGladrey recommended ten 'high priority' upgrades for computer security, IT infrastructure and management.
- Significant underfunding: According to McGladrey, communities nationwide spend an average of 3.6% of revenue on IT. Wayland spent 1.3% last year, which was lower than the year before. IT has been underfunded for years, a key reason for many of the problems. Basically, Wayland rolled out thousands of computers to Town staff, teachers and students -- without the foundation needed to support and protect this large network.
- $500,000 near term cost: McGladrey estimated that the first ten high priority upgrades will cost roughly $500K, almost exactly what I told the Board of Selectmen a month ago. Unfortunately, this bill is coming due all at once following years of neglect. This cost can be covered by the >$4 million 'free cash' surplus.
- Cost of a data breach: Paying for computer security upgrades is like buying home insurance. You need to compare the cost of the policy to the cost of damage and loss. The Ponemon Institute recently released an updated study showing how much a data breach typically costs. For Wayland, the average would be $1.5 million for one incident. A PDF document is attached with the details. More delay will put Wayland tax dollars at risk.
Now the Board of Selectmen, Finance Committee and School Committee need to act quickly. The "IT Transfer" in Article 2 of the Warrant for Special Town Meeting on 9 November needs to be amended and increased to $547,000.
More delay will not save money, and another breach would be much more expensive.
Please let me know if you have any questions.
Last edited by MarkHays; 11-01-2015 at 03:50 PM.
Reason: Added info and document re the cost of a data braeach
Special Town Meeting: Urgent IT Upgrades STILL Unfunded
A week ago I thought I would be writing a different, more hopeful story about the progress coming at Special Town Meeting. The Wayland Board of Selectmen voted on 26 October to add $40,000 to the IT Transfer request to purchase an Endpoint Security solution. They also reviewed the RSM / McGladrey report which recommends outsourced IT management services and a new IT Director for the Town -- to make sure Wayland IT is managed professionally going forward.
So, you would expect that the modified "IT Transfer Request" for STM includes these key upgrades. Nope.
In short, Wayland is still stuck on the "paralysis by analysis" path. One data breach would cost Wayland taxpayers $1.47 million or more -- your tax dollars. And once your confidential information is stolen, including private data for thousands of Wayland school children, there is no way to "fix it" and repair the damage.
- $40K funding to purchase an Endpoint Security / Management system was replaced by $25K for more RSM / McGladrey consulting time. Some consulting to pick the right solution is a good idea, of course -- but we need to make actual progress too. Now there is no money to purchase a solution for this critical security risk, just more money for analysis and reports.
- No money is included for the new IT Director position or outsourced IT services, to give Wayland the professional help we need. This was a key recommendation from Advent Consulting and RSM / McGladrey -- but remains unfunded.
Attached are copies of five Town documents with all of the details.
Cybercrime insurance for Wayland and taxpayers?
Does Wayland Have Cybercrime Insurance - To Protect Taxpayers?
Nan Balmer reported to the Wayland Board of Selectmen on 20 February 2015, following multiple attacks and breaches in the Wayland Finance Office. Ms. Balmer noted that she met with MIIA to discuss related insurance coverage.
Despite these breaches and the near-theft of $4 million, Wayland has not installed an automated vulnerability detection / patch management system – lack of which was the proximate cause. The cost of data theft from one breach could easily exceed $1.4 million for notice to every affected individual and identity theft protection, in addition to money that may be stolen and related lawsuits.
With all of this in mind:
I sent a letter to the members of the Wayland Board of Selectmen and Finance Committee, who are responsible for the Town’s insurance coverage and related payments. If a breach and identity theft occurred, however, the largest volume of confidential data is held by Wayland Public Schools -- so a copy was also sent to the School Committee and Dr. Paul Stein.
- Does the Town pay more for insurance coverage related to IT risks, following the breaches last January, to MIIA and/or another company? If so, what is the annual increase in cost?
- Was insurance coverage for IT related risks increased following the breaches?
- If another data breach occurs and confidential information is stolen, are Wayland, WPS and taxpayers covered against the total cost of notification and identity theft protection for all affected individuals? Are there limits on this coverage?
- Are Wayland, WPS and taxpayers covered or indemnified against the cost of related lawsuits and awards?
- Are Wayland, WPS and taxpayers covered against the cost of theft, e.g. a transfer of funds like the attempts last January? Are there limits on this coverage?
Copies of these letters are attached. Please let me know if you have any questions.
Wayland Public Schools -- Major computer security and privacy problems
Dear Wayland residents:
I wish I did not have to add another post about computer security problems in Wayland. Unfortunately, we took a closer look at Wayland Public Schools and found major issues that affect every student and family:
- Missing security updates: We found that over 1,700 WPS computers were out of date by 2 to 4 months, missing dozens of 'critical' Apple security patches. Computers that handle very confidential data were affected, including Health & Wellness, SPED, Guidance, teachers and school administration.
- No encryption: Even though WPS has over 1,000 laptops that are easily lost or stolen, encryption has not been installed, a simple and inexpensive security measure recommended by the US Department of Education. The good news: encryption is included with Mac and Windows -- the IT team just needs to turn it on. Nothing needs to be purchased.
- Is Google mining your student's data? Wayland Schools use and promote Google Apps for Education, (GAFE) which are attractive because they are ‘free’. Unfortunately, the watchdog Electronic Frontier Foundation discovered in December 2015 that Google is mining students’ private data again, despite having signed the president’s Privacy Pledge in 2011. A formal complaint was filed with the Federal Trade Commission. See: EFF.org, December1, 2015, “Google Deceptively Tracks Students’ Internet Browsing”. https://www.eff.org/press/releases/g...-federal-trade
Google's marketing site states that they never mine student data for ads, etc. We analyzed Google's customer agreement for GAFE, however, and found that it gives Google broad rights to process our student's confidential information -- and transfer copies to virtually any company or organization, worldwide. A copy of our analysis is attached.
We also found that Google created a special "Amendment" to this agreement in response to EU privacy policies. This Amendment would satisfy many of our concerns, but it is unclear whether schools in the USA can use it. We contacted Google directly for clarification, and are coordinating with the ACLU and the Electronic Frontier Foundation.
- Insecure "student presentation" system: We found that WPS is using VoiceThread, a Web based system for student presentations. Based on Adobe Flash, this system is very insecure. A copy of our letter to the School Committee is attached, detailing the issues. This highlights the need to review every WPS IT vendor -- to make sure their product is secure, with a customer / privacy agreement that protects Wayland's data and families. (As noted below.)
- WPS IT vendor agreements: Wayland Schools stores large volumes of student and family data with Harris School Solutions (iPass, iStudent and iParent). Although Wayland Schools is responsible for our data under federal law (FERPA), no district privacy policies or contracts with vendors have been created to ensure our data remains secure and private, now and in future. Instead the Wayland Schools are using contracts drafted by the same vendors, contrary to US Department of Education recommendations.
- No new security systems installed: Following the hacking attacks in January 2015, where $4 million was almost stolen from the Wayland Treasurer’s office, you probably think that "The Town took care of the problems." In fact, the Town of Wayland and Wayland Schools delayed purchasing and installing the new security systems recommended by their IT consultants; McCann and McGladrey. Believe it or not, as of 22 January 2016, none of the recommended upgrades have been installed. Not one.
- No insurance coverage for Wayland taxpayers: Finally, Wayland and Wayland Public Schools do not have any insurance to cover the cost of a data breach, which would average $1.4 million for a not-for-profit organization of Wayland's size. Taxpayers would foot the entire bill on top of suffering the painful loss of private student and family data.
Privacy is about choice and control; currently Wayland parents and students have neither when it comes to their data. The Wayland Public School district needs to attend to these issues sooner than later. Wayland Schools should also be transparent about data security and privacy measures, updating parents and students in a timely manner – as recommended by the US Department of Education.
To raise awareness, we formed the Wayland Computer Privacy Initiative (WCPI). Our goal is to inform the public about data security and privacy, promote transparency and work to ensure that our information is kept private and secure when stored on Wayland Town and School networks.
Please join us. Support WCPI’s efforts to send a message to Wayland Public Schools and Town management: we need strong data security and privacy. Send us an email for more information: firstname.lastname@example.org
Last edited by MarkHays; 01-24-2016 at 05:52 PM.
Reason: Added URL to EFF article
Six important updates:
(1) The Wayland School Committee agreed to give us 30 minutes to present security / privacy concerns at an upcoming meeting.
(2) Dr. Paul Stein also agreed to meet with us, and plans to hire an IT consultant to review each of the issues we have identified. Unfortunately, this means yet-more money for IT consultants, after >$90K was spent by the Town on Elysium, McCann and McGladrey -- but this should result in a real project plan with delivery dates and status reports.
(3) Attorneys from the Electronic Frontier Foundation where pleased to receive our analysis of Google's customer agreement for Google Apps for Education and are very interested in what we found. They are currently in Brussels and will review the details when they return. This is a very significant issue for Wayland and many schools across America. We will keep you posted.
(4) We are now coordinating with the Massachusetts Student Privacy Alliance (https://secure2.cpsd.us/mspa/about_mspa.php) and the national Access 4 Learning group (https://www.a4l.org/Pages/default.aspx). We sent them our analysis of Google Apps for Education, and they invited us to join the planning team.
(5) We also sent a FedX letter and documents to VoiceThread -- a web product used by WPS for student presentations, etc. -- that is based on the insecure Adobe Flash product. (They did not respond to our emails or call.)
(6) Harris School Solutions, the vendor behind iStudent, iParent and iPass, did not respond to our emails or calls, so they are next-on-the-list for a FedX letter. Harris holds a large volume of Wayland student data, and has not provided a copy of their privacy or customer agreements -- contrary to US Department of Education recommendations.
Please let me know if you have any questions: MarkAllenHays@Gmail.com
Tags for this Thread