The massive data breach in February that allowed the personal information of nearly 300,000 people to be copied from university databases could have been avoided if proper preventative measures had been taken, according to a contractor formerly assigned to run tests on this university’s websites.
Ex-university contractor David Helkowski said he and his coworkers discovered weaknesses in the university’s systems months before the Feb. 18 data breach while working on a data project for the public health school.
In November, the 32-year-old stumbled across several shell scripts planted in the system, some dating as far back as 2011, he said. These scripts have file manipulation capabilities and “can do things to the system you’re not supposed to do,” he said.
“It’s basically a back door to the system,” Helkowski said, during an interview Tuesday in White Marsh. Neither the university nor law enforcement officials have publicly stated how the databases were accessed in the Feb. 18 cyberattack.
Helkowski’s employer at the time, Baltimore-based information technology consulting firm The Canton Group, did not pass the information in the shell scripts or any other faults along to the university until Feb. 27, he said, more than a week after an unknown attacker copied almost 300,000 faculty, staff and student records dating back to 1992. Brian Ullmann, university assistant vice president of marketing and communications, confirmed the university had not received any reports of system faults at any time before this date.
Kelly Price, vice president of operations at The Canton Group, would not comment on questions regarding when the company received information of system weaknesses or if it withheld information from the university.
“The Canton Group has and will continue to cooperate and work with all law enforcement agencies on this ongoing investigation,” Price wrote in an email, also noting that Helkowski was no longer employed by the company.
After a Feb. 27 teleconference between The Canton Group and the university, Helkowski said, he continued to test the university systems at home. To hide his identity, he used IP addresses from locations such as Sweden, Switzerland and Hong Kong.
“If I had actually gone on and used what I call malicious exploits, which are things used to damage a system, I could have gained full-fledged access to their systems, potentially to their entire network,” he said.
Helkowski then called University Police to clear his name, explaining he had more information on the data breach and could help. He said he did not receive a call back.
University Police spokeswoman Sgt. Rosanne Hoaas was reached for comment, but she could not confirm or deny that the department received a call from Helkowski, because the investigation is active and ongoing.
On the evening of March 14, Helkowski said he posted university President Wallace Loh’s cellphone number and Social Security Number to Reddit because Helkowski felt ignored by the university. University officials said they were unable to confirm that the senior university official whose information was made public was indeed Loh.
The morning of March 15, Helkowski said, he contacted members of the President’s Task Force on Cybersecurity, providing them a link to the Reddit page, which has since been removed. According to an affidavit by FBI special agent Jeremy Bucalo made public on Tuesday in the Baltimore City Paper, Helkowski’s initial email to the task force asked for legal amnesty in return for his systems expertise — terms to which Helkowski said the task force had agreed.
“If you want to cooperate I would be willing to provide details … but I would want some assurance (in legal writing) that I will not be charged with any crimes. If not, consider this your fair warning and last contact from me,” Helkowski allegedly wrote from alias “The PPM” to the task force on March 15, according to the affidavit.
Task force members did respond, Helkowski said, but when he outlined all of the system’s weaknesses in a PDF file that he sent them the next day, communication ceased. Attempts to contact various task force members to confirm or deny these events were met with no comment.
On the evening of March 16, the FBI raided Helkowski’s Parkville home and confiscated thousands of dollars worth of equipment, according to the documents.
“I don’t believe that anything I did was malicious,” Helkowski said in the interview. “Frankly, I don’t view myself as guilty of anything. In other words, I view myself as a person trying to help. I didn’t do anything bad to them.”
On Monday, Helkowski opened an Ask Me Anything post on Reddit under the username krage28, where he responded to questions from other users.
Among more than 400 comments on the post, krage28 wrote, “all I can do is be honest, cooperative, apologetic for any wrong I have done, and hope for the best.”