A former contract worker for the University of Maryland said he hacked into scores of databases in the school’s computer system and posted the university president’s “private information” online to draw attention to security problems.
David Helkowski, 32, has been linked to a security breach in March that involved accessing student grade-point averages and student and employee Social Security numbers and contact information, as well as exposing the Social Security and cellphone numbers of university President Wallace D. Loh. In February, there was a larger security breach of roughly 300,000 sensitive records of names, Social Security numbers and birth dates of students and staff and faculty members. Helkowski has not been accused of involvement in that breach.
Helkowski told the Baltimore Sun that he saw flaws in the university’s system even before February’s breach and that he brought up his worries but grew frustrated. He has not been charged with a crime and told the Sun that he considers himself a whistleblower.
“I had to do it, because if I did not do that, they wouldn’t have acknowledged the seriousness of the problem,” Helkowski told the Sun.
In an e-mail Thursday, a U-Md. spokesman said “the university does not comment on ongoing investigations.” On March 20, U-Md. disclosed a security breach that resulted in the release of personal data of an unidentified “senior university official.” Court documents now suggest that the official was Loh.
Helkowski could not be reached to comment Thursday, and a telephone number listed for his residence in Baltimore County did not accept messages.
FBI agents searched Helkowski’s home in Parkville after connecting him to March’s security breach. The federal agency looked at a laptop, hard drives and flash drive storage devices.
The search warrant refers to a long post Helkowski put online saying he was a computer hacker and describing how he used “standard attacks against the UMD site to attempt to gain access.”
On the site pastbin.com, under the pseudonym “theppm7,” he wrote that he “found holes” in the university’s system. He said he was able to “obtain full access to almost all of the websites hosted by the UM system, as well as more than 80 databases of information at UMD.”
Helkowski said he was able to “replicate” February’s major data breach and posted Loh’s information online as proof of the university’s “incompetence” in securing its sensitive data. The FBI agent who wrote an affidavit in support of the search warrant noted that “personally identifiable information” of a University of Maryland official was included in Helkowski’s posting but was omitted from the affidavit because of privacy concerns.
Why hack the system? Helkowski wrote in the posting that, in part, it was because he “wanted to prove that the security at UMD is still terrible. I have done so. That was and is my goal.”
Helkowski said he warned his supervisors at the Canton Group, a Baltimore-based technology firm that employed him, about the university’s vulnerability, but he said he became convinced that his concerns were not being addressed.
He said he also sent an e-mail on March 15 to Loh and others on a university-created task force urging them to look at cyberattacks and warning them to tighten security. He said he exchanged e-mails with the university’s information security officials.
Helkowski said he was let go after he told his employers about the FBI raid, according to the Sun article. The Canton Group said that Helkowski is no longer an employee and that it is cooperating with law enforcement and conducting an internal investigation.
Many U-Md. alumni, students, faculty, staff and others connected with College Park were deeply concerned about February’s data breach, which led the university to offer five years of free credit protection to those who were affected. The latest estimate is that 287,580 records were breached Feb. 18. Most of those have since been purged.