Order from chaos

The IT people at Georgia Institute of Technology weren’t exactly prepared last month when they discovered that a server in their business office had been hacked. That server contained two years’ worth of travel reimbursement data, passwords for the on-campus purchasing system, and employee credit card numbers and personal information all of which may have been compromised.

There was no contingency plan for an IT security breach like this. They had to scramble.

But the way Georgia Tech’s IT people handled it, they might have been working from a textbook checklist of how to get it right.

Step 1: Spot the problem. On Monday, March 11, a Webmaster noticed the server’s log files had been erased. He sounded the alarm.

Step 2: Plug the hole. That meant immediately limiting access to the server.

Step 3a: Figure out just how bad things are. On Monday and Tuesday, Georgia Tech’s IT people had no contingency plan for a server break-in, but they knew they had to analyze before they could act. They checked the server’s bandwidth usage and spotted a big spike in traffic over the weekend – a 350GB spike. Someone, or a lot of someones, had pulled a huge amount of data off the server, then nuked the logs. This wasn’t subtle hacker exploration – this traffic looked like Grand Central Station.

Then the IT team catalogued what was on the server and identified the scope of the potential problem: employee names and personal information, credit card and Social Security numbers, passwords, and images of signatures for as many as 1,000 faculty members and other employees.

Step 3b: Call the cops. Actually, the IT staffers did that as soon as they had something solid to report. And they kept the university administration and the appropriate department heads in the loop as well.

Step 4: Call the banks. All the university credit cards whose numbers were on the server had to be cancelled and replaced.

Step 5: Hold the big meeting. Wednesday afternoon, the IT team laid out what it knew, suspected, hoped and feared at a meeting with administrators and department heads. Their theory: The hackers had used the server as a way to distribute one or more very large files, such as a digitized movie. Their hope: The financial data was untouched. Their fear: What if it wasn’t?

The decision that came out of the meeting was to not take any chances. IT and the university’s public affairs office went to work drafting a memo that would lay out what happened and what affected employees should do.

Step 6: Tell the people affected. Thursday at about noon three days after the break-in was discovered the memo went out as an e-mail to everyone whose personal information might have been exposed. It was also posted on a Web site at www.fraud_concern.gatech.edu. The memo is a small masterpiece of direct communication, complete with concise explanations, clear recommendations and even telephone numbers for credit reporting agencies.

Step 7: Follow up. So far, no wave of credit card fraud has been reported by Georgia Tech employees. But Georgia Tech’s IT people will keep tracking any problem reports and keep feeding information to users as it arrives.

Was their response perfect? No. Maybe it would have been quicker with better planning. Maybe they should have notified credit card holders right away and not waited for more information.

But they didn’t fall into traps like institutional inertia or an urge to bury the problem and hope for the best. They acted fast, they got a little lucky and they did OK.

So take a lesson from Georgia Tech. Study that checklist and learn from it. Download that memo to users and crib from it. Remember, just because they weren’t really prepared doesn’t mean you can’t be. And just because they got lucky doesn’t mean you will be.

Hayes, Computerworld (U.S.) senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.