Internal documents, crisis communication plans made public
Sophie Mattson & Jenni Sigl
THE SANTA CLARA
October 27, 2016
In the latest breach of cybersecurity on campus, a trove of internal documents from the Office of Marketing and Communications were leaked by the anonymous hacker SCUWatch.
On Oct. 17, this newspaper received an email from an unknown sender containing a file folder labeled “OMC_Leak.” The anonymous sender, who only identified themselves as SCUWatch, sent internal documents from Santa Clara’s Office of Marketing and Communications. Included in these documents were crisis management plans, university social media strategies and personal contact information for upper level administrators.
According to Chief Information Officer Bob Owen, there are two ongoing, active investigations by the university into this latest leak and the previous breach of video surveillance footage. Two videos surfaced online in recent weeks, one showing the defacement of the 43 students memorial and another of two students drawing a swastika in blood in the Casa Italiana Residence Hall elevator.
In an interview with The Santa Clara, Owen said that both leaks were the result of careless password management and not a breach of university systems or firewalls.
Owen blamed the video breach on “undisciplined password management,” but could not elaborate because of the ongoing nature of the investigation. He did go into more detail about the OMC leak, stating that a username and password were in plain sight and then used to gain access to a computer.
“Regarding the OMC data breach, I can say that it was a situation where we had an employee who basically had a password visible at their workstation that anybody could’ve seen and could’ve taken and could’ve gone to the races with,” Owen said.
Owen said that so far in the investigation there is no indication that someone remotely hacked into university systems— human error was instead the culprit.
“It would be like me writing my password down on (a business card) and putting it right on my desk and it says ‘Bob’s password’ so anybody walking by can say, ‘oh, that’s Bob’s password,’” Owen said. “That’s not good password management.”
Owen could not confirm whether or not the owner of the login information is a suspect in the leak of the OMC documents.
“Our security systems worked. They were not breached. The problem was that there was undisciplined password management,” Owen said. “This has to do with people not managing and protecting their passwords like they should. That’s not good but it wasn’t like we had a major failure in one of our systems that keep us safe.”
According to Owen, the username and password were readily available to potential onlookers.
“There are a lot of people in OMC and we’ve got reason to believe that a lot of people could have had eyes on that password,” Owen said.
The Leaked Documents
The folder of leaked documents primarily contained crisis management plans standard to any university or organization. However, a careful review of the documents did reveal some peculiarities.
One document labeled “Internal Contact Sheet” contains personal contact information for various upper level university administrators, such as Philip Beltran, the director of Campus Safety and Jeanne Rosenberger, the vice provost of student life. The document even includes university President Fr. Michael Engh, S.J.’s, personal, home and cell phone numbers.
Deepa Arora, the university’s communications director, said she created that document herself and originally began printing and distributing it about three or four years ago. The contact sheet is distributed to university administrators in the form of a small, yellow, laminated, folded pamphlet.
“People wanted something easy, they didn’t want to put it in their phones, they wanted something that could sit in their dresser drawer or their glove box so this is what we came up with,” Arora said. “We change it every year. We send it to people with a note every year saying that this is private information, please shred it when you are done with it.”
A document titled “Diversity On Campus Talking Points” contains a list of the university’s talking points that they use when addressing diversity concerns on campus.
“Santa Clara University acknowledges that the campus needs greater diversity,” the document states. “Diversity cannot be viewed as just another initiative; it is a way of life.”
There was also an excel spreadsheet titled “Influencers,” which contains the names of a handful of Santa Clara students. It contains descriptions of their accomplishments and personal traits, along with links to their personal Facebook pages, Twitter handles, Instagram accounts and other social media accounts.
Arora said that this document was the product of brainstorming and was never used by her office. She described it as an “ideation” created by someone “new to campus.”
Senior Lidia Diaz-Fong who serves as president of the Associated Student Government was listed in the document and described as “connected on campus,” “organized” and “professional.” Her personal Instagram account was also linked to the spreadsheet.
Diaz-Fong said that although she found her description in the document “flattering,” she also found it strange that social media accounts were linked in the spreadsheet. She said it is even more alarming that the internal documents were leaked in the first place.
“Clearly, these are working documents from the OMC and I think that there is something wrong with our information technology security systems that should be checked out,” Diaz-Fong said. “If they are investigating the leaks of the documents and past videos, they’re not being transparent about this with us (the student body). It makes you wonder, if the hackers have access to this, what other things can they see? What’s coming next?”
A staff member of this newspaper was also named and described as being “very up on all things Santa Clara.” Their personal Facebook and Twitter accounts were linked in the document.
Crisis Communication Plans
A folder labeled “Crisis Communication Documents” contained various contingency plans detailing the process for informing the student body about hypothetical crises that could affect the university community.
The hypothetical crises include active shooters on campus, the spread of disease, a data breach, the death of a construction worker, a student death from alcohol poisoning, a sit-in to protest campus diversity issues, a terrorist attack at Levi Stadium and the Leavey Center and a sexual assault at an off-campus location.
One of the documents, titled “Diversity assess the situation” contains a hypothetical scenario in which members of Unity 4 are staging a sit-in near “La Parilla” in Benson Memorial Center.
Another one of these hypothetical scenarios contained in another document is a “Terrorist attack at the front entrance of the Leavey Center, six people injured including four SCU donors struck with bullets from what is believed to be a lone attacker wielding an AK47.”
In the folder regarding the response to the hypothetical terrorist attacks, a document labeled “Crisis Action Matrix active shooter” appears to contain a systematic approach to addressing the crisis, weighing the university’s priorities for which groups should be taken care of during the event.
In the same document, the question “What will happen if nothing is done?” is posed and the response is that “The reputation of the university will take a huge hit if students are not taken care of and information to alumni, parents, families and donors is not communicated effectively.”
The folder with information of how the university would respond to a protest concerning campus diversity contains a document titled, “Diversity Process Map Visual.” It contains a prioritized timeline of actions the university would take to respond to the incident.
The document indicates that the first response to the events would be to “prepare an official statement from SCU,” “post on (Facebook), Twitter” and “write talking points for use by (university) officials.”
The second line of response would be to “monitor Facebook and Twitter for information and rumor control” and “secure statement from trustees in support of President and send to campus community,” followed by other steps.
It also indicates that after the crisis is resolved, the response would be to “Get op-ed written about issue to run with President or Provost byline” and also “Get blogs written about the issue and place on behalf of alums and donors.”
In the crisis communication plan for sexual assault, there are specific instructions not to use social media channels to communicate information regarding reported incidents. When asked why this policy was in place, Arora said that it is in order to comply with Title IX rules.
One of the documents contains a scanned report from March 2015 by SimpsonScarborough titled “Santa Clara University Image & Positioning Research.” The report analyzed the way that prospective students, alumni donors and alumni non-donors view the university and how it measures up to other comparable institutions of higher education.
In the research, 939 alumni donors and 457 non-donors were surveyed online, as well as 881 high school students identified as ideal prospective students.
The report stated that among the surveyed alumni, they most strongly associate the words “Jesuit Catholic, community-oriented, ethical and intelligent” with Santa Clara. However, the words “caring,” “diverse,” ambitious,” and “global” were least often used among the alumni to describe the university.
Handling the Aftermath
The individual who released the leaked documents used a hidden Tor email address to conceal his or her identity. Tor is free software that enables people to communicate anonymously on the Internet and prevent someone from obtaining the individual’s location and browsing history.
The software is commonly used by whistleblowers to anonymously communicate information. Tor is also used by individuals living in countries like China and Iran, where access to websites like social networking platforms is limited, allowing them to browse the web without restrictions.
Tor email addresses are encrypted to allow users to hide their IP addresses, preventing the origin of emails from easily being traced. Since the hacker released the OMC documents through Tor, Santa Clara has no current plans to attempt to uncover the identity of the person who sent the email.
“You start dealing with the dark web and ways of covering tracks. There’s just no way that we can find out who that is,” Owen said. “Maybe the National Security Administration has resources to do that but we don’t.”
In the wake of the leak, Owen said that the university will stress cybersecurity training, which will include more detailed instruction on how to properly create and protect passwords.
“It’s the human element that failed in this occasion, so we are going to offer a lot more training,” Owen said. “A recommendation that is coming out of my division is to make cybersecurity training mandatory for all employees.”
To prevent someone from obtaining your password and hacking into your accounts, Owen recommended using a “pass phrase” instead of a traditional password. He used the example, “Letthewordgoforth1961,” which is a quote from President John F. Kennedy’s Inaugural Address and the year he said it.
To increase password security, he also suggested using a phrase from a favorite book or poem and changing a word. He offered the example of “Maryhadalittlerotweiler1999” instead of “Maryhadalittlelamb1999” as a password.
Ethical Implications of the Hack
Kirk Hanson, executive director of the on-campus Markkula Center for Applied Ethics, said that he does not think that the release of the OMC documents was an ethical choice on the part of SCUWatch.
“The SCUWatch people, in revealing the OMC documents are not ethically thoughtful and are simply voyeuristic. Every organization has contingency plans,” Hanson said. “The Ethics Center has talking points for all kinds of issues. Having the crisis plans is the thoughtful, prudent working of an organization.”
From an ethical standpoint, he said the release of the footage depicting the vandalism of the 43 students memorial and the Casa security footage would only be ethical if there was evidence that the administration was slow in its follow-up and investigation into the matter.
However, Hanson said that it was “much too soon” to conclude that so he believes the release of the footage was also unethical.
Shortly after the campus community was made aware of those incidents, SCUWatch posted CCTV footage of multiple perpetrators committing the acts.
The response to the video footage on campus was widespread disdain for the acts and a call for increased transparency on behalf of the administration.
Many also called for the drawing of the swastika in the Casa elevator to be labeled a hate crime instead of an act of vandalism or bias incident.
“There’s a case to be made that there was public interest in that, but only if you feel that the administration was not taking it seriously or that it was somehow proportional to reveal the identities of the individuals,” Hanson said.
However, Hanson said he is opposed to the wholesale release of information and private correspondence like this and called it theft. He compared it to the latest WikiLeaks scandal, in which thousands of emails between Hillary Clinton and her aides were released.
“The way the release of the documents is being handled, there’s this implication that there’s something sinister here,” Hanson said. “There’s nothing sinister here, it’s simply responsible management—from what I know—of the documents.”
Owen said the administration has not officially linked the CCTV footage breach with the OMC leak. While they could be the work of the same hacker, a definitive connection between the two incidents has yet to be drawn.
“Doesn’t mean it doesn’t exist,” Owen said. “(But) we haven’t seen anything.”
The Santa Clara attempted to contact SCUWatch through the private messaging system on Vimeo, where the group posted leaked surveillance footage. At the time of publication, they had not responded.
Owen said that his office has not had any contact with SCUWatch.
When asked if the OMC will be implementing specific changes in response to the leak, Arora said that they will be following the recommendations of IT. In response to a followup question about possible increased oversight of student workers, Arora offered the same answer.
“We’re going to follow IT’s recommendations,” she said.
Contact Sophie Mattson at firstname.lastname@example.org or call (408) 554-4849. Contact Jenni Sigl at email@example.com or call (408) 554-4853.
Clarification: Hanson said he believes the release of the Casa and 43 students memorial CCTV would only be ethical if there was evidence that Santa Clara’s administration was slow in its follow-up and investigation into the matter. He said it is too soon to conclude this.