Whistleblower Says He Warned University Of Maryland Before Data Breach
BALTIMORE COUNTY, Md. (WJZ) — A data breach drew the nation’s attention to the University of Maryland. It exposed sensitive information, including Social Security numbers of hundreds of thousands of current and former students and employees, and it led to an FBI raid on the home of a software engineer in Baltimore County whose former employer contracted with the university.
Mike Hellgren spoke exclusively to him about what they were looking for.
His name is David Helkowski. He says he was never involved in that massive data breach but tried to expose a hole in the university’s security months before it happened and claims no one would listen. He now admits some of his tactics may have gone too far.
In February, the University of Maryland apologized for what it called a sophisticated cyber attack that exposed names, birth dates and other sensitive information of more than 300,000 staff, students and alumni.
As part of its investigation into that attack, the FBI recently raided a home in Parkville. It belonged to Helkowski, a self-described hacker who, at the time of the attack, worked for a software consulting firm, The Canton Group, based in Baltimore. The Canton Group consulted for the University of Maryland.
“At the time they raided my house, I totally cooperated with the FBI. I told them all of my passwords,” Helkowski said. “I want to help the university. I don’t mean any harm against anyone. I just want things to be improved.”
Helkowski says as part of his job, four months before the cyber attack, he discovered a huge cyber security hole in the university’s system and warned his employer.
“I was like, `OK, great, I’ve done my due diligence. They’ll pass it on to the university and they’ll fix the problem,'” he said.
But Helkowski says the hole never got fixed and, in fact, became bigger.
After news of the cyber attack broke, he claims he again warned of the vulnerability. This time, fearing no one was listening, he eventually went directly to the university.
“I actually called the University of Maryland police department. I said, `My name is David Helkowski. I know some information on data security that needs to be fixed’ and, I said, `Who do I talk to?'” he said.
After meetings between the school and his employer, Helkowski says he thought the hole would finally got fixed but claims he again went into the system a few weeks later and found the same security lapses. That’s when he says he began posting anonymous warnings–contained in an FBI affidavit–and went so far as to post University President Wallace Loh’s Social Security number online.
“I only did it in order to demonstrate, `Hey, please don’t ignore me. I really want to share this information with you.’ I believed I would be ignored otherwise,” he said. “I would never have posted the Social Security number of the president if I had known the implications of that.”
The FBI won’t comment on Helkowski’s investigation.
WJZ also asked the Canton Group for comment. In a statement, they said, “David Helkowski is no longer employed…The Canton Group has and will continue to cooperate and work with all law enforcement agencies on this ongoing investigation.”
Helkowski has not been charged with any crime but says he fears he could go to jail.
“Because this is a lot of sensitive information, people were very concerned about what a malicious person could do with this information. People don’t know that I’m not a malicious individual,” he said.
Again, Helkowski says he had no role in the big data breach and was just trying to help. He now believes the university has addressed its security vulnerabilities.
No arrests have been made in that breach.
The FBI’s investigation into all of this is ongoing.
Other Local News: