8 Cal State Campuses Report Data Breach from Sexual Harassment Course


Students at eight Cal State campuses have had their data exposed after the breach of a class provider.

Almost 80,000 students had their class passwords, sign-in names, campus email addresses, gender, race, relationship status, and sexual identity exposed. Particularly sensitive information like Social Security numbers, credit card info, or driver’s license numbers were not revealed, but students may still be identified by the compromised data. Affected campuses are those at Channel Islands, Los Angeles, San Bernadino, Maritime Academy, Cal Poly Pomona, Northridge, San Diego and Sonoma, writes the Associated Press.

Because of a state law, Cal State students are required to take a noncredit course on sexual harassment. Students who took the class entitled Agent of Change with the San Diego-based organization We End Violence, rather than two other providers, had data compromised by hackers. This vendor was one of several recommended by a White House task force on the prevention of sexual violence on campus.

The company was alerted about a possible problem on August 24th, according to the director of We End Violence, Carol Mosely. Two days later, the website was shut down, but students were not informed until Friday.

Mosely said:

We were working as quickly as we could and had to be sure we had the correct student list and that the CSU system was aware of what was going on … so they could provide their own responses. We believe in shutting down the website on the 26th we were protecting students at that point.

The college has hired a forensics firm to investigate what went wrong. Not many details have been released on the cause, reports the staff of the Suffield Times, beyond a “vulnerability in the underlying code.” The organization has received no indication that user information has been misused, writes Beau Yarbrough and Josh Dulaney of the Sun, and its web developers are working on getting the site back online.

Carla Rivera of the LA Times quoted a statement issued by the chancellor’s office:

Protecting student data and personal information is a top priority of the California State University (CSU). As soon as it was learned that student information was exposed by a third-party vendor (hired to provide Web-based sexual assault and prevention training), immediate action was taken at the eight impacted campuses to further safeguard student information.

Affected students are urged to change their passwords. Those with questions can call a toll-free hotline created specifically for this purpose at (877) 218-2930.

At Cal State LA, 488 students were affected. They were notified by the university on Thursday and received a campus-wide email on Friday.

Spokesman Robert Lopez said:

Students were told to change their password and to beware of phishing — seemingly legitimate-looking emails.

16,702 students at Cal State San Bernardino were affected. Brian Haynes, CSUSB’s vice president of Student Affairs, said in an email:

The vendor has taken full responsibility for this breach and is communicating with our students on mitigation measures they can take.