WSLCB's Chief Information Officer went over the “API Key Reset” security incident with integrators, though new information was limited.
Here are some observations from the June 21st Washington State Liquor and Cannabis Board (WSLCB) Integrator Work Session.
My top takeaway:
- WSLCB CIO Mary Mueller addressed the “API Key Reset” incident. While still restricted from speaking plainly by policy of the Washington State Office of the Chief Information Officer, CIO Mueller shared new information about the computer security incident (transcript, audio).
- CIO Mueller stated, “…we had started to get questions from one or more integrators last week that data was being deleted through the API” using active licensee API keys in an unauthorized way. CIO Mueller added, “To date there is no evidence that the systems themselves were compromised,” a statement which seemed to be inclusive of third-party integrator systems. Increasingly, it sounds like some subset of licensee API keys were acquired by unknown means (possibly a prior computer security breach) and an unauthorized system accessed MJ Freeway Leaf via its API.
- WSLCB intends to implement a computer security best practice of requiring licensee API key resets every 90 days. Integrators will be assigned API keys to be used in conjunction with licensee API keys to ensure only authorized third-parties can access MJ Freeway Leaf. And MJ Freeway is contractually required to migrate the Leaf system to a more robust OAuth authentication and access control paradigm as a condition of product acceptance.
- Communication about the computer security incident was difficult for all parties, and CIO Mueller stated WSLCB has created new communication protocols as a result. She hinted about subtexts of future communications:
…moving forward, if we ask for a non-scheduled API key reset, um, just assume that it’s security-related. …if it’s our system that impacts your licensees you will know that it’s something with our system and I will say “it’s something with our system but I can’t discuss it.” And if I’m not talkin about that, that means that it’s something in an integrated solution or related to a compromise of API keys that is getting in from outside of one of the known integrators.