SDSU says computer server was infiltrated

March 17, 2004

By Karen Kucher, Union-Tribune Staff Writer

San Diego State University is warning more than 178,000 students, alumni and employees that hackers broke into a university computer server where names and Social Security numbers were stored.

The university began mailing out notification letters Monday, urging people whose personal information was on the server to get copies of their credit reports and review them for suspicious activity.

The SDSU case appears to be the largest such notification made under a state law that went into effect last July requiring companies and state agencies to contact people when their computerized personal data have been compromised.

University officials said the hackers infiltrated a server in the Office of Financial Aid and Scholarships in late December and used it to send spam e-mail messages and transfer files, including MP3 music files.

The problem was discovered in the last week of February and SDSU took the server off the network.

"We have moved as absolutely quickly as logistically possible" to notify individuals affected by the security breach, said Ellene Gibbs, director of business information management at SDSU.

The server contained financial aid reports about current, former and prospective students - as well as some SDSU employees - who sent in financial aid applications since 1998, but not the applications themselves or award information.

This is the second time that SDSU has suffered a security breach that put computerized personal data at risk. The university notified around 1,000 people in December when a server used by the library was hacked, Gibbs said.

Under the state law, businesses and state agencies are required to notify customers when personal data, such as Social Security numbers or financial account numbers, may have fallen into the wrong hands.

That warning is designed to give people the chance to quickly act to protect themselves against thieves who would use stolen personal information to open new credit accounts and make unauthorized purchases.

SDSU recommends that those affected by the security breach obtain a copy of their credit report. A spokeswoman with the Privacy Rights Clearinghouse suggests people go a step further and request that one of the three credit reporting agencies flag their file with a fraud alert.

With a fraud alert in place, credit reporting agencies will contact the person if someone tries to establish new credit in his or her name, and also will waive the fee for the credit report.

"We also suggest people monitor their credit reports on a quarterly basis at least for a year," said Jordana Beebe, communications director for the Privacy Rights Clearinghouse.

California, which has the third highest per-capita rate of identity theft in the nation, has not officially tracked the number of cases in which security breaches have occurred.

Before the SDSU case, however, the largest notification was thought to be the more than 90,000 household workers and employers who were mailed letters in February from the state Employment Development Department, said Joanne McNabb, chief of the state's Office of Protection.

"This law may get some practices changed because people don't like getting these notices," McNabb said.

SDSU said there is no indication that the intruders targeted confidential information in the system.

"We don't have any indication that the illegal server access was used for the purpose of identity theft, but we can't take that chance," said university spokesman Jason Foster. "We have to let people know what happened and let them take steps to protect themselves."

The case is being investigated by university police. The FBI also has been notified because there is evidence that the hackers broke into the server from another state, said SDSU police Capt. Steve Williams.

SDSU is in the process of implementing a new ID number system that will provide students and employees with a randomly generated nine-digit number - instead of their Social Security numbers - for many student transactions, including financial payments and library services.

Gibbs said the use of the new ID system - dubbed the "Red ID" program - should help combat unauthorized access to personal information.

SDSU has put information about the incident on its Web site at People with concerns or questions about the case also can call the university's Information Technology Security Office at (619) 594-5393.

main page ATTRITION feedback