Security Incident Played Role in Traceability
System Rollout Disruption
Dear Licensees:
I am writing with an important message
regarding the complications with this week’s transition to the new traceability
system, Leaf Data Systems.
Intrusion
of Traceability
A computer vulnerability was exploited
on Saturday, allowing unauthorized access to the traceability system. There are
indications an intruder downloaded a copy of the traceability database and took
action that caused issues with inventory transfers for some users. We believe this
was the root cause of the transfer/manifest issue experienced between Saturday
and Monday.
As we’ve communicated already, that
issue was corrected on Monday Feb. 5, 2018, and communicated to licensees. We recognize that there are other known issues
within the system. There are workarounds for most. They will be fixed in
subsequent releases.
The state’s
vendor, MJ Freeway, became aware of the transfer abnormality on Saturday. The
company immediately began a review and identified it as a potential security
incident on Monday. MJ Freeway immediately notified the WSLCB. The WSLCB then
contacted the Washington State Office of CyberSecurity, (OCS), which examined
the data taken to determine if it contained personally identifiable
information, PII.
No
Personally Identifiable Information Released
The information captured by the intruder
does not contain personally
identifiable information, such as names and social security numbers. However,
we wanted to make you aware of the incident.
The following information was accessed during
the incident:
- Route information of manifests filed between Feb. 1
and 4, 2018.
- Transporter vehicle information including VIN, license
plate number and vehicle type. The database does not include driver or driver
license information.
With the exception of the manifest data all
the information obtained via the intrusion is publicly available. The WSLCB already
responds to requests for publicly available records per the state’s public records
law.
Because there is no personally
identifiable information, there is nothing that licensees need to do at this
time. As a precaution, with the above in mind, please review your transport
plans and take any appropriate steps you feel necessary for your business.
Current
Status
The WSLCB and MJ Freeway continue to
implement several strategies to prevent future vulnerabilities to future intrusions.
This includes full logging and monitoring and working with third-party
entities. Since this remains an active investigation, details on security are
not publicly available.
Next
Steps
The LCB is hosting a live webinar Friday
at 10:00 a.m. that will include myself and leaders from our IT division, MJ
Examiners unit, and enforcement. You may register here.
The bottom line is that this incident is
unfortunate. There will continue to be malicious cyberattacks on the system.
This is true of any public or private system and is especially true of the
traceability system. Know, however, that we will continue to take necessary
steps to protect all traceability information. This includes an ongoing review
of the information we require in traceability and the implementing the best
practices in security.
As always, continue checking your email
for notifications and the WSLCB website
for the latest information.
Sincerely,
Peter Antolin
WSLCB Deputy Director
Traceability Project Executive Sponsor
|
