Claremont Colleges employees’ Social Security numbers, including those belonging to student workers, were stored on an outdated server that was so at risk of being hacked in 2019 that a government cybersecurity analyst urged consortium staff to fix a “critical vulnerability” within it.
The server was left exposed to the vulnerability for an extended period of time due to a larger systemic problem: The Claremont Colleges Services’ information technology department ran the server on Windows 2003, software that hadn’t received security updates from Microsoft for four years, according to four current and former TCCS IT employees.
Although BlueKeep became public in May 2019, TCCS staff left the server exposed until the California Office of Emergency Services (Cal-OES) analyst alerted them in September — four months later. TSL verified the Cal-OES warning through a public records request.
The vulnerability could have allowed an outsider with malicious intent to gain access to all of the data within the server, but neither TCCS nor the individual colleges notified students of the risk of a breach.
“A system having a vulnerability is not sufficient to trigger notifications or credit reporting unless there is reason to believe there was a breach,” TCCS spokesperson Laura Muna-Landa said in a statement to TSL Monday.
Muna-Landa said TCCS found no specific evidence that a breach occurred or that data was compromised.
But the TCCS IT employees, who spoke to TSL on the condition of anonymity due to fears of retaliation, said the server had been poorly secured for years.
Employees speak out
The employees said the Social Security numbers stored on the server, called Callisto, belonged to student workers, faculty, staff and other consortium employees. Since TCCS provides financial services to all of the schools except Pomona College, workers across the consortium could have been affected. The server also housed other data for several TCCS departments, including financial services and human resources.
Much of the information on Callisto — unrelated to Pomona’s sexual assault reporting program of the same name — was written in unencrypted plain text spreadsheets, the employees said, meaning someone who gained access would have been readily able to read and exploit it.
Additionally, the TCCS employees said years’ worth of data was archived on the server, so former students and employees also could have been at risk.
“The most critical stuff that you could want to protect was sitting there on a silver platter for any scumbag to take. … And [TCCS] knew it.” — Anonymous TCCS IT employee
In TCCS’s statement, Muna-Landa did not comment on the storage of social security numbers on Callisto or disclose how many years’ of archived data it had.
Muna-Landa said the state’s Sept. 9 notification was “the first time there was any awareness that a necessary patch was missing from Callisto,” even though BlueKeep had been a publicly known issue since May.
The following day, TCCS updated and installed the necessary patch on Callisto, and conducted an investigation that did not find “any evidence that the system was compromised,” Muna-Landa said.
But TCCS may never know definitively if a breach occurred, a file systems expert told TSL.
“A lot of systems keep logs of what goes on, but the logs themselves can be overwhelming because they contain everything that happened,” Harvey Mudd College computer science professor Geoff Kuenning said. “So it’s actually difficult to look through the logs to find out, to watch for problems.”
Muna-Landa said TCCS was “actively working to retire Callisto” in 2019, because it was “exhibiting instabilities.” The anonymous employees confirmed that senior IT staff had long been aware Callisto was beginning to fail.
The files on Callisto have since been moved to a different file sharing system, according to Muna-Landa.
A problem bigger than BlueKeep
For the four years before it was decommissioned, Callisto was run on an “end-of-life” platform — meaning it no longer received security updates from Microsoft.
“There is a tremendous risk in allowing Windows operating systems to remain on the campus network after end of support,” the UC Berkeley Information Security Office said in 2015. “Without security patches for newly discovered vulnerabilities, Windows Server 2003 systems will be easy targets for hackers looking to exploit systems with minimal effort. Industry experts generally agree this is a very likely scenario following July 14, 2015.”
The anonymous employees said they consistently warned senior IT staff that the information was poorly secured.
“The most critical stuff that you could want to protect was sitting there on a silver platter for any scumbag to take,” the first employee said. “And [TCCS] knew it.”
“You would … hope that you weren’t keeping sensitive data on a server that dates back to 2003 and might crash at any time.” — Harvey Mudd College computer science professor Geoff Kuenning
Callisto remained vulnerable to BlueKeep for months because, after Windows 2003 stopped receiving security updates, IT staff had to identify and respond to vulnerabilities individually. That process can amount to looking for a needle in a haystack, Kuenning said.
“The list of known vulnerabilities is extremely long,” Kuenning said. “It can be really hard to look at the list of vulnerabilities and say, ‘Oh, that one affects me, I better do something about that.’ In theory, it’s really easy, but in practice, it’s a hard problem.”
Even so, warnings about BlueKeep had been circulating widely for months before TCCS took action. When Microsoft identified the vulnerability publicly in May 2019, it was described as an “exploitation more likely” for older softwares.
“You would hope that something [four] months old would have been noticed, especially if it’s dealing with a server that has sensitive data,” Kuenning said. “You would also hope that you weren’t keeping sensitive data on a server that dates back to 2003 and might crash at any time.”
Muna-Landa said TCCS has a monthly update cycle for its systems, but did not specify how this accounts for systems without manufacturer support.
‘Vulnerable as can be’
Old servers such as Callisto are particularly easy targets for those scanning for vulnerabilities, the employees said, whether they have benevolent or malicious intent.
“We knew this thing was a ticking time bomb,” the second TCCS employee said. “There was no support on it. The operating system was vulnerable as can be, and the amount of data that was housed on it was just absurd.”
Even 7C students had notified TCCS that their servers were exposed.
“There have been plenty of times where students send us emails or mess with our file server, leave a message saying, ‘Hey, you might want to close this off,’” the first employee said. “It’s pretty wide open. They can scan networks, wide-open networks, and just tell you all the ports, all the entry points.”
TCCS said they notified the potentially affected colleges of the BlueKeep vulnerability in September. The schools either did not respond to TSL requests for comment or deferred to TCCS.
Originally, Muna-Landa said that, along with Callisto, 14 other computers in Claremont were exposed to BlueKeep, including two with Pomona, one with Pitzer College and 11 with Claremont Graduate University. The 11 at CGU were workstations “firewalled off from the CGU network” and contained “no university data whatsoever.”
After publication, Muna-Landa clarified in a statement on April 27 that none of Pomona’s systems were in fact vulnerable to BlueKeep. Instead, “a consortial system that lives on the consortial network, which is managed by Pomona’s IT staff” was vulnerable but did not put Pomona-owned systems at risk and was patched after the notification. She also said the Pitzer system was running Windows 2012 and not vulnerable, save for an exposed port for which access was restricted.
While the sensitive data that was hosted on Callisto is now stored on a newer system, employees said the IT department continues to use other older software.
“There’re still [Windows] 2003 servers being run,” the second employee said.
Maria Heeter, Kellen Browning, Meghan Bobrowsky, Hank Snowdon and Marc Rod contributed to this story.
This story was updated April 28 at 2:45 p.m. to incorporate a new statement from TCCS.