For more than three weeks, Indiana University websites have been down, disrupting and frustrating the university community. Many of the sites still have not come back. While IU has acknowledged what it calls a “security incident,” officials have released few details.
Last week, Associate Vice President Patrick Phillips met with IT Support to discuss the situation. A source provided a copy of the private Zoom meeting to WTIU News. It included Phillips answering questions.
“Will there be any kind of public explanation of what the initial incident was?” one employee asked. “That quietness about that, I think, has been very disconcerting for a lot of people.”
“Yeah, understand that and appreciate the disconcertion,” Phillips responded. “No, I do not expect there will ever be a public airing of any more about the incident.”
Phillips said University IT Services started getting reports late on June 7 that its homegrown web platform SiteHost, started around 2000, was faltering. Pages were loading slowly, which indicated a problem.
With President Pamela Whitten, University Marketing and Communications and IU officials, IT began prioritizing which websites to keep online.
They decided on 45 websites that Phillips said represent about 90 percent of IU’s web traffic.
“There are outside forces that get things prioritized, and you have to jump when they come in,” Phillips said. “It's been one of the hardest things I think we've ever had to do is try to figure out how to prioritize getting stuff back online.”
IT Services shut down nearly all of its 2,600 webpages to contain the problem. IU released nothing at the time, but eventually said security vulnerabilities were at fault.
IU spokesperson Mark Bode declined an interview and wouldn't make anyone else available. He issued a brief statement to WTIU saying “no sensitive information has been found to be compromised.”
IU did not say whether it completed its audit or hired a third-party incident response service to assist.
The university also did not answer whether law enforcement is involved and why the crisis wasn’t prevented.
The extent of the incident was enough for IU to rebuild its web platform from scratch. SiteHost was tossed and a new system called SiteKube is in the works.
If SiteHost was compromised, someone could have installed software to access MySQL: a database management system that handles research data and legally protected information such as social security numbers or student classes and grades.
When that kind of personal information is stolen, state law requires database owners to tell Indiana residents who were affected “without unreasonable delay,” no more than 45 days after the incident. A “reasonable delay” could be discovering the scope of the breach.
Computer security expert Tarah Wheeler, CEO of Red Queen Technologies and Senior Fellow for Global Cyber Policy at the Council on Foreign Relations, reviewed the Zoom meeting and other public information about the security breach.
She said that while it’s impossible to make a complete judgement without all the background, IU’s decision not to share more information about the incident was wrong.
“The first obligation is to fight for the users, and anyone saying that they are going to withhold information that is key to letting people, especially vulnerable populations, protect themselves has an ethics problem. A deep one,” Wheeler said.
IU could also put off reaching out if the attorney general or law enforcement agencies asked it to delay for an ongoing investigation or national security risk.
Wheeler said that’s not as crazy as it sounds. IU partners with the federal government on defense research, including tens of millions of dollars invested in its partnership with the Crane Naval Surface Warfare Center.
“If what you're looking at is all of the personal information of everybody on payroll who's receiving money for working on defense contracts, do you know the gold mine of information that is?” she said. “It's not just the students, it's everybody associated.”
As for those waiting on pages and databases to come back online, Phillips said there’s no timeline for when IU’s web systems will be fully restored.
“The work is going to continue for a long time,” he said.
