Features - Database Password Theft: A Lesson on Monitoring Billing & Preventing LossBy Nanna K. Frye, Published on February 1, 1998
Nanna K. Frye (J.D. & M.S.L.S.) is currently the Law Librarian for the Court of Appeal, 4th District in San Diego.
(Archived March 1, 1998)
Some would say it was inevitable and I would agree. After all, a WESTLAW, LEXIS or any other database password is a commodity worth stealing, whether it is for personal or commercial use. Passwords are the keys unlocking the doors to information, some of which, as any law librarian knows, can be very expensive to obtain. And sometimes a high-cost database is the sole source for this information. Thus, there is plenty of motivation to short-circuit the billing process altogether by using someone elses password. Since as law librarians we are our institutions custodians for these passwords, there are lessons for us to learn in recounting the story of the WESTLAW password stolen from the City Attorney for San Diego.
Lesson Number One: Always review the usage portion of your bill
Mary Lynn Hyde, one of the heroines of our story and the law librarian for the City Attorneys Office, was reviewing the WESTLAW bill when she noticed something unusual. The City Attorney, her boss, appeared to have been a sudden convert to WESTLAW. Though he had never used it before, suddenly he was making extensive use of the public records databases. Mary Lynns first thought was, quite naturally, "did so-and-so recently attend some seminar discussing WESTLAW and thinks s/he knows enough to be a user?" This thought is followed by, "Does s/he have any idea what it costs?" The change in the City Attorneys computer research habits was so dramatic that Mary Lynn felt she had to investigate further.
Word quickly came back that "No, the City Attorney did not use the public records databases billed to the city and that he does not even know his password to access WESTLAW." The plot thickens. Someone casually mentioned that probably an extern/law student is to blame. But in our experience externs are very diligent about checking with us before doing such a thing. The job market for attorneys is not the easiest to break into in San Diego so no extern would jeopardize a future job prospect by taking an unnecessary risk such as that. Externs know better than attorneys how much information law librarians can learn about their usage so they know they cannot hide. Blaming an extern was not the likely answer.
Obviously, the first step was to cancel the City Attorneys password since someone was using it without authorization, so Mary Lynn did just that. She also asked WESTLAW to eliminate the charges since the use was unauthorized but she was firmly told, "No." The explanation proffered was that it is the responsibility of the custodian of the passwords to ensure that they are not stolen or misused. I can understand this policy. If someone is careless in the security management of their passwords such as leaving the password list out for all to see, or only having one password for the entire office and a former employee decides to use it, they should pay for their carelessness. WESTLAW should not have to pay the bill simply because they have the bigger pocket.
But in this case, Mary Lynn knows she had maintained security of the passwords and felt that WESTLAW had somehow disseminated this one. She was told that it was an inviolate WESTLAW policy not to provide passwords via the telephone except to authorized persons and Mary Lynn was the only authorized person in her office to receive them. End of discussion, according to WESTLAW.
Lesson Number Two: The Value of Networking With Area Librarians
The problem was that there was no trail to follow. If it is not the City Attorney or an extern, where does one start looking? The prospects were grim. Enter the second heroine of our story, Saw Chng. Saw is a reference librarian at the San Diego County Law Library and works near the WESTLAW terminal. Several weeks prior to Mary Lynn discovering the unusual WESTLAW usage, Saw happened to notice a young man making extensive use of the terminal after previously needing sign-on assistance. Since he did not look like an attorney or a law student, she thought she would nose about a bit. After all, everyone knows that any good reference librarian is part detective and Saw is certainly a good reference librarian.
She proceeded to ask the usual, "Are you finding everything you need?," while noticing that he was using the public records databases. The user mentioned that he was with the City Attorneys Office and that it was noisy back at the office so he decided to do his work at the law library. But Saw was skeptical. She telephoned Mary Lynn and asked her to come over to the county law library to verify this mans alleged identity. Mary Lynn confirmed that he did not work for the City Attorneys Office and also noticed that he was using the public records databases but what could they do? They had no evidence that he was committing a crime at that point even though circumstances looked suspicious.
It was not until the unusual usage appeared on her bill that Mary Lynn connected the two. Now the problem was how to find this guy and ask him some questions. The county law library staff was put on the alert and sure enough, he appeared again but was there only a couple of minutes. During this visit, it did not take long for him to discover that the City Attorneys password had been canceled. He left the library before the police could arrive.
If the alleged thief had any smarts, he would have figured that someone was on to him. Instead, he proceeded to get the City Attorneys new password within 24 hrs. and return to the county law library to use it. His audacity was his downfall. This time when he appeared at the county law library, the police were there within minutes and actively caught the fellow using the City Attorneys new password. Once again, he was searching the public records databases and during his later interrogation he revealed that he was selling the information for $150 per name.
Since the alleged thief had obtained the new password within 24 hrs. of its issuance and Mary Lynn had not distributed it to anyone, the only other possible source was WESTLAW. The alleged thief confirmed this by providing the name of the WESTLAW employee he used to obtain both the City Attorneys password and that of the City Attorney for National City, Calif. It seems the thief convinced the employee that he was the city attorney in order to obtain the password. This gave Mary Lynn the evidence she needed to get WESTLAW to remove the unauthorized charges in the sum of approximately $3000. In the case of National City, their city attorney had yet to discover that his password had been stolen.
Lesson Number Three: It Can Happen to You!
Whether it is WESTLAW, LEXIS or some other database for which you have passwords, you are vulnerable to those passwords being stolen or misused by others. The theory of someone stealing a password has now become cold reality with this incident. Do not think for a minute that this is an isolated incident. If this man could do it, anyone can and there certainly is monetary motivation to do so. Consider taking the following steps to protect yourself:
Contact the database vendor to review their policy for disseminating new and existing passwords by telephone. If only authorized persons are entitled to receive that information, review the list of the authorized persons. If the only authorized persons are the law librarian and the librarians supervisor, evaluate whether the supervisor is the best choice if s/he their name is well known. The presiding justice, managing partner, Attorney General, etc. are all names that are easily obtained from directory sources.
Encourage your database vendor to use a code system. For instance, under WESTLAWs Rapid Password Manager system for obtaining passwords via the telephone, one must provide a code before they are assigned a new password. Hopefully, WESTLAW will consider requiring that authorized persons supply this same code to obtain existing passwords and other vendors will also consider instituting this security measure. Solely supplying an authorized persons name should not be sufficient unto itself.
Contact the database vendor to review their policy for disseminating passwords by facsimile machine, whether they be new or existing ones. Again, the vendor should require that a code be supplied to change the facsimile machine number on their records.
Spread the word within your institution regarding stolen passwords so that people will use more caution in guarding theirs. If users have been casual about guarding their passwords because it seemed unlikely that anyone would steal it, there is now direct evidence to the contrary. Sharing this war story may lead them to reduce their laxity in guarding their password.
If client billing is not used at your institution, require that users enter a term or phrase that briefly describes their case or issue at the "client account" screen. This will be helpful to jog their memory as to what they were researching if questions arise later.
The situation in San Diego was especially unfortunate because West Group simply did not follow its own procedures for ensuring password security. The incident was especially upsetting to us because West Group maintains one of the most stringent password security policies in the industry. WESTLAW customers should be assured that WESTLAW is a secure online system, especially regarding the issuing of passwords.
The following describes West Groups password security measures. If customers have any questions, they can call 1-800-514-4111.
Only the WESTLAW Rapid Password Manager Service releases WESTLAW passwords.
When an individual requests a password by phone because they forgot their password, the WESTLAW Rapid Password Manager Service representative verifies the individuals identity, and explains that the password can be released only to the authorized firm contact. The representative then calls the appropriate firm contact and releases the password upon his or her approval. The requestor can then receive the password from the authorized firm contact.
Passwords are not sent by fax to customers or field staff. On an exception basis, we will fax only if verbal or written agreement is made by the customer or field representative to be fully responsible for the security of passwords.
Passwords are never sent to customers or West Group field staff using Internet, or any other kind of e-mail.
Passwords for customers are released to a WESTLAW or West General Sales representative on the phone only after verifying the representatives password on the internal WESTLAW security system.