Data recovery, lawyers and sensitive information: Looking into the Fairbanks school district potential data breach
This story is written in chronological order based on when information was received by this station.
FAIRBANKS, Alaska (KTVF) - On June 29, 2019 the Fairbanks North Star Borough School District sold some computers it had surplussed at an auction. The high bidder was 1st Strike Asset Management LLC. Now, over a year later, 1st Strike claims there was sensitive information on the computers and is currently suing the school district, but how did it all happen?
According to Ruben Leake, the CEO of 1st Strike, in early 2019 he was looking to build a security camera system for his property and needed computers and servers. He had heard about an auction of surplus equipment from the Fairbanks North Star Borough School District. “There was a pallet that had servers and data vaults on it, so I did a little research into something we could use for our system. I sent one of our guys over there to buy them and pick them up, which he did.”
Once they got the computers, Leake said they began to analyze them and realized there was still data on the machines, “For school district students, teachers, [and] employees. So at that time we just shut everything down and stored it.”
He said there were student records, employee records, medical records and even social security numbers on the computers. According to a complaint filed in court by Leake’s attorney, Bill Satterberg, this data being on the computers could potentially amount to violations of, “HIPAA laws, social security confidentiality laws, personnel laws, and student confidentiality laws -- which need to be independently investigated and addressed to avoid future violations of this nature.”
According to an email from Karen Gaborik, the superintendent of the school district, the ‘General Security Processes’ for when they surplus equipment are as follows.
When it is determined district devices have reached the age where it is no longer economically feasible to maintain them, the district engages in the following surplus procedures:
- A work order may be created depending on device condition and type.
- Hard drives are removed, destroyed, or wiped clean.
- System entries such as Active Directory and FileWave are removed.
- District tags are removed.
- Shipping and Receiving collects the devices and bundles them for sale by a third party vendor.
- Auction agency conducts sale of auction items, collects payment, and provides receipt for collection of the awarded lot.
- Successful bidder presents receipt and takes possession of auctioned items.
The email went on to confirm that the computers in question were sold at auction, but said that until they are able to inspect the computers they cannot confirm that there was any data on them.
Leake said that after they purchased the computers, they noticed there was still information on the hard drives, “And then we went a little deeper to see what it is, [using] just your standard off the shelf recovery program. I mean it’s actually freeware. You can get it for nothing, plug it in, and there is all the information.”
Leake said that the data recovery programs can take a few days to a week to restore the data. When asked if data recovery is something they normally do, he said yes.
“If you plug things into your network, unknown devices, you are exposing your network for an attack, and you are exposing your own network as a data breach,” Leake said.
Leake confirmed that it appeared the school district had attempted to delete the data by deleting partitions on the drives, which he said amounts to taking the index page out of a large book. “When someone asks you, ‘I want you to find the works of Edgar Alan Poe,’ well I can’t find it, there is no directory for it, there is no index, but it is still there. You just have to thumb through to find it.” According to Leake, the program they ran was able to go through the data and find where it was so it could be viewed.
After finding the data, Leake said he had his employees put the computers into storage, “Because I knew that that this was going to be very tenuous, you know, to get the borough to admit what had happened. And that has proven to be true."
After being in storage over the winter, Leake said he contacted Satterberg to help with the situation. “I originally consulted him as just a liaison between myself and the Borough, and the Borough became very demanding. It wasn’t looking pretty, they wanted us to sign a non-disclosure agreement, they wanted to sweep this under the carpet.”
According to the school district, they were notified of the potential data leak on August 7, 2020 when they were contacted by Satterberg who said he represented an individual who had purchased computer equipment from the 2019 auction and claimed it had sensitive information. According to the district, Satterberg initially asked for $100,000 to return the computers, a claim he denies.
Satterberg said “At some point it was, ‘Well how much do you guys want?’ ‘Well how about a $100,000 or something like that?’ It was a joke. People that know me know that sometimes I, April First birthday, know that I was basically BS-ing if you will. I made contact very shortly after [and] said, ‘Hey guys, that’s not what we are after.'"
We received email communications between Satterberg and Bruce Radke, an attorney for the School District, which shed some light into the how the matter ended up becoming a lawsuit.
On Aug 27, 2020 Radke wrote in an email asking for the serial numbers of the computers so they could verify that the district sold them. The email also requests that the users continue to refrain from sharing any information or making copies. Satterberg and Leake both said that the information was never copied or downloaded, saying that could have potentially been a violation of various federal and state laws. The email also thanked Satterberg for bringing the issue to their attention.
“The District appreciates that you and your client have brought this situation to the District’s attention. Subject to your client’s agreement and compliance with the above, and proof that your client lawfully came into possession of the hardware, the district is willing to consider a claim for loss of use of the hardware," the email read.
In a follow-up email, Satterberg rejected the loss of use claim. “The Borough surplussed equipment on an as-is, where-is status. That equipment contains information, and came with that information. So an open ended, loss of use approach likely will not be acceptable, but I do believe that a fair and reasonable resolution can be reached.” In the email Satterberg compared the situation to someone buying a painting and then discovering a masterpiece located behind it, and said that he would not agree to let the district view the equipment fearing that if that happened, “the leverage is lost.”
On Sept. 28, 2020 Radke rejected idea that 1st Strike owned the data.
To be very clear, the District will not negotiate any payment for the “purchase” of the data Mr. Roberts alleges is stored on the devices. The data is simply not an asset that can be bought and sold. While your client may own the Equipment itself, the data was not part of the sale of the Equipment for the simple reason that the School District had no ability to sell any personal data about its students or employees. As an education entity subject to FERPA, and an employer subject to state laws, the District maintained data solely as part of its activities as an educator and employer. As the District did not own this data, it did not, and could not have, included it in the sale at auction. Moreover, if the data includes what Mr. Roberts claims it does, any “sale” of it would run afoul of Alaska law, which makes it illegal to sell personal information like Social Security numbers... In short, unlike the analogy of a “Rembrandt found in the attic” of a purchased house that you mentioned on our August 27, 2020 call, this data is not a “treasure” of some kind that your client has unearthed and can now claim as his own. It is not his data. Given that the sale of the data is prohibited by law, there is no legitimate market for this data, making it worthless for all legal purposes.
The school district said they will have no part in such a transaction and recommended that Satterberg’s client not have any part in the transaction, as well. They maintained that they would offer to pay reasonable “loss of use” for expenses and burdens incurred as a result of letting the district remove all data from the equipment. The school district also said they will proceed with the understanding that Satterberg and his client are, “acting in good faith and [are] interested in working toward an amicable and mutually beneficial resolution to this situation.” The email said any indication that this is not the case would result in them taking additional steps for the return of the data, including alerting the Alaska Bureau of Investigation Technical Crimes Unit.
“Because of that I had not disclosed my client’s name to the borough at that time," Satterberg said.
Eventually, Satterberg sent the school district attorneys a $15,000 loss of use claim. The calculations included loss of use for 15 months, a claim the district rejected saying they were not notified until two months prior and should not be responsible for the time when they were not aware of the issue. They responded with a $5,000 counter offer. Eventually the District sent a settlement offer that required 1st Strike to return the equipment and stipulated that the district would pay $10,000 to 1st Strike. The offer also said that 1st Strike would be required to cooperate in a forensic review of the equipment. The offer also included a confidentiality clause that Leake and Satterberg would not agree to.
“My client is not willing to agree to a confidentiality agreement or to trust that the Borough will necessarily do the right thing with respect to notifying possibly compromised parties,” Satterberg wrote in an email on Oct. 7, 2020. “It is not a question of the settlement amount. My client does not need the funds and what the Borough is offering is nominal. My client is not seeking to be paid for the proverbial hidden Rembrandt and for the purposes of settlement has accepted the Borough’s arguments on that issue... Again, in the end, it is not a financial issue, but a far more important issue of the public’s interest.”
Leake expressed similar concerns, “In my opinion this needs to be public knowledge this happened. This could have been a very catastrophic data breach. I don’t know how many people are on these computers, how many people’s information, but it’s a lot, it’s in the thousands.”
He stressed that this was not about money but about informing the public.
The School District had set a date of Oct. 9, 2020 to turn over the computers and accept the settlement. On Oct. 9, Satterberg instead filed an interpleader lawsuit asking for the court’s guidance on the dispute and asking them to take the computers into possession while the issue was litigated. The complaint also asked the school district be required to cover costs and attorney fees and “any such other relief as the court deems just and equitable in the premises.”
A week after the lawsuit was filed the school district sent out a press release explaining their side of the story. The press release was followed up by a letter from Superintended Karen Gaborik going into more detail surrounding the events. The district has declined to do an interview regarding the incident and said in a statement, “Once the district has access to the equipment it will promptly assess what has taken place, act in accordance with its legal obligations and address any deficiencies in existing procedures that may have contributed to these events.”
1st Strike and the school district have agreed that the equipment be turned over to the school district so they are able to review the information. Satterberg said that since the story broke, at least one other person has contacted him saying they found data on a computer from the district. Satterberg said he is looking into the allegation and other potential instances where the school district sold computers that had not been completely wiped.
We will continue to follow this story as it develops.
Copyright 2020 KTVF. All rights reserved.