Hackers tap server at Cal State Hayward

September 23, 2004

By Ricci Graham, Staff Writer

http://seclists.org/lists/isn/2004/Sep/0086.html



HAYWARD -- A computer hacker somehow gained access to the records of about 2,000 Cal State Hayward students earlier this month, prompting campus officials to send out letters warning students that their personal information may have been compromised.

Kim Huggett, director of public affairs at Cal State Hayward, said on Wednesday that officials have not determined how the hacker was able to "briefly gain unauthorized access" to student records through one of the campus servers.

The computer security breach was brought to the attention of the university's Information Security Office on Sept. 7, Huggett said.

Cheryl Walton-Washington, the school's chief information security coordinator, said the New York-based Office of Cyber Security and Critical Infrastructure Coordination discovered that a campus Web page had been defaced on or about Sept. 7. The cyber intruder had also placed two unauthorized files on the server, she said.

Officials there in turn contacted the California State Office of Information Privacy, which notified university administrators of the computer breach, Walton-Washington said.

"I can't share with you what they saw, because the server had been taken offline to begin the appropriate task of investigation," Walton-Washington said.

Walton-Washington said her office has concluded its investigation, although she concedes that it will be virtually impossible to determine who the responsible party is.

"That is actually going to be terribly difficult," Walton-Washington said. "We can't identify who. The most we have is a very benign Web address, and it's not a person."

The university has taken a number of steps to put additional fire-walls in place to prevent someone from hacking into the server again, Walton-Washington said. Asked what they were, Walton-Washington said: "Action has been taken, but I'd rather not go into detail to encourage someone else. But we have taken steps to secure this (server)."

Dick Metz, the school's vice president of administration and business, said his office shipped an estimated 2,000 letters to students whose personal information may have been accessed. Some of the potentially compromised information includes names, Social Security numbers, addresses and telephone numbers, Metz said.

"While there is no evidence that the intruder accessed any private information, we are notifying every student who might be affected so they can alert a credit reporting agency should they choose to do so," Metz said.

In his letter to students, Metz issued an apology on behalf of the university, saying, "We consider any breach of our computer security a serious matter, so please accept our apologies."

Cal State Hayward is the latest campus to have its server illegally tapped into.

Earlier this year, officials at Cal Poly, San Luis Obispo had to issue a warning to about 700 students after an online break-in. The same occurred at San Diego State, requiring officials there to notify more than 178,00 current, former and prospective students.


main page ATTRITION feedback