Data of 79,000 CSU Students Hacked after Compulsory Sign-Up with 3rd Party

Wednesday, September 09, 2015

All California State University (CSU) students were required to sign up for a non-credit course, provided by a third-party company called “We End Violence,” aimed at preventing crimes against women. They had to log in with usernames and passwords, and provide personal information.

On Tuesday, CSU announced that the company’s computers had been hacked and data on 79,000 students—name, age, student ID number, e-mail address, gender, race, relationship status and sexual orientation—was compromised. The school said the hacker haul did not include Social Security, credit card or driver’s license numbers.

CSU enrollment is 460,000. Not all campuses were involved, just Channel Islands, Los Angeles, San Bernardino, Maritime Academy, Cal Poly Pomona, Northridge, San Diego and Sonoma.

Students were told last March they had a month to sign up for the class or a hold would be put on their fall admission.

CSU Northridge’s Division of Student Affairs explains on its website that the program is the school’s response to enactment of the federal Violence Against Women Reauthorization Act in March 2013. It requires “universities to provide sexual violence prevention and awareness programs that educate students about prohibitions, reporting procedures, the university’s response to incidents and resources for victims.”

A White House task force (pdf) in 2014, responding to statistics that around 20% of women are sexually assaulted in college, said that changing “attitude, behavior—and the culture” was one of the keys to reducing the violence. The aim was not necessarily to reach the perps. “Most men are not perpetrators—and when we empower men to step in when someone’s in trouble, they become an important part of the solution.”

One group not on board with the sensitivity training, Independent Women’s Forum, called it a “re-education” program. They said it's an “ultra-politically correct video game” and lamented that college administrators would “shove it down the students’ throats.”

We End Violence director Carol Mosely told the Los Angeles Times the company learned of the hack on August 24 and shut down the website two days later out of “an abundance of caution.” 

Students weren’t informed by the vendor until September 4. A CSU official told the Times a “vulnerability in the underlying code” led to the hack.

At least one student is using the breach as a learning experience to explore the legal ramifications of what CSU has done. Carlos Alberto told the CSU Northridge Sundial:

“I think it’s kind of messed up that something the school forced us to do, which we didn’t have  a choice . . . it really stinks that we have [this] problem that now that our information is out there. It’s almost as if you hire somebody to do some work but their worker breaks something in your house or has a problem . . . it doesn’t really matter, it’s your point of contact . . . that should be held responsible.”

–Ken Broder


To Learn More:

Student Data Exposed Following Agent of Change Leak (by Daniel Shin, California State University, Northridge Sundial)

CSU: 79K Students Had Data Breached on Third-Party Website (by Josh Dulaney, Long Beach Press Telegram)

Cal State Data Breach Hits Nearly 80,000 Students (by Carla Rivera, Los Angeles Times)

Deadline Approaches for Students to Complete “Agent of Change” (by Dena White, California State University, Northridge Sundial)

Cal State East Bay Computers Safe from Aesthetes but Not Hackers (by Ken Broder, AllGov California)

Leave a comment