A data breach at eight Cal State campuses exposed the personal information of nearly 80,000 students enrolled in an online sexual violence prevention course, officials said Tuesday.
The Cal State system had hired the vendor We End Violence to provide the noncredit class on sexual harassment, which is required of all students under state law. Students who took the training with that company had their data hacked.
Two other vendors were also providing the classes but the data of students in those classes were not compromised, Cal State spokeswoman Toni Molle said.
Cal State officials said they had few details on how the hack occurred other than there was a “vulnerability in the underlying code.”
Cal State has hired a forensics firm to investigate.
Information such as passwords used to log into the class, as well as sign-in names, campus-issued email addresses, gender, race, relationship status and sexual identity were exposed.
Personally identifying information such as Social Security, credit card and driver's license numbers was not compromised, Molle said.
Campuses involved are Channel Islands, Los Angeles, San Bernardino, Maritime Academy, Cal Poly Pomona, Northridge, San Diego and Sonoma.
“Protecting student data and personal information is a top priority of the California State University (CSU),” read a statement issued by the chancellor's office. “As soon as it was learned that student information was exposed by a third-party vendor (hired to provide Web-based sexual assault and prevention training), immediate action was taken at the eight impacted campuses to further safeguard student information.”
All affected students were advised to immediately change their passwords. Also, a toll-free hotline was created for students' questions, (877) 218-2930.
The company was first alerted about a possible breach on Aug. 24, said Carol Mosely, director of We End Violence.
The website was shut down two days later. Students, however, were not informed by the company until Friday, Mosely said.
“We were working as quickly as we could and had to be sure we had the correct student list and that the CSU system was aware of what was going on … so they could provide their own responses,” Mosely said. “We believe in shutting down the website on the 26th we were protecting students at that point.”
Although no direct personal information was exposed, it's possible that students could be identified based on their use of the computer program, Mosely said.
The company is working to ensure the site is secure so that students can complete the class, she said.
At Cal State L.A., about 488 students were affected by the data breach, spokesman Robert Lopez said.
Those students were notified by the university Thursday and a campus-wide email was sent Friday.
“Students were told to change their password and to beware of phishing — seemingly legitimate-looking emails,” Lopez said.
Regular classes at Cal State L.A. begin Sept 24.