Hackers infiltrate Cal Poly

August 4, 2005

By Kenneth Todd Ruiz, Staff Writer


POMONA -- Computer hackers added Cal Poly Pomona to a growing list of schools from which personal information has been accessed illegally. Notices went out on Thursday to 31,077 people informing them that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June.

"We got hit by a hacker,' said Debra Brum, interim vice president of instructional and information technology.

Personal data, including names and Social Security numbers of university applicants and of current and former faculty, staff and students were accessed in the security breach.

Recent graduate Robert Pedraza, 26, said he is troubled by the intrusion.

"If you break into a system, you went in there deliberately to do harm,' Pedraza said. "It sounds like there was something they were after.'

Cal Poly is unable to determine whether any of the records were copied or downloaded, said university spokesman Ron Fremont.

The school discovered the breach during routine network monitoring on June 29, which university officials said is likely the day the attack occurred.

Systems compromised included student transfer records, a system for scanning in applications and a limited amount of payroll data that Brum said did not include financial information.

Shahnaz Lotfipour, a professor of multimedia productions, said she immediately called credit agencies and put a fraud alert on her account. She said Internet insecurity is an issue worldwide.

"I hope the global community (will) do something about this problem ... I don't think anybody's safe,' Loftipour said.

Fremont said they delayed announcing the attack to investigate the incident and determine the extent of information compromised.

The attack on Cal Poly is among several recent incidents at California colleges.

Also in June, hackers absconded with more than a quarter-million applicant records from USC. It was enough to prompt USC officials to urge former applicants to check their credit for fraudulent activity.

On July 26 Cal State Dominguez Hills discovered three-quarters of its student records had been compromised. The same occurred with 59,000 Cal State Chico student records in March.

"We're in an ongoing battle with hackers and intruders on the Internet,' said Dan Manson, Cal Poly computer and information systems professor. "We build up better defenses; they build up better attacks.'

Fremont said the school is still investigating the incident and does not rule out the possibility it is related to others.

"We're considering all options,' he said.

So far, Brum said, they have been unable to trace the source of the cyber-assault.

Internet infiltrators gained access to the system through a security hole in a particular application, Brum said.

She would not name the vulnerable program for fear the attack could be replicated by others.

"The vendor found out about this vulnerability in their software the same week this incident happened,' Brum said. "It's a real challenge. If you let more people know how the vulnerability works, you have more bad guys who are going to use it.'

Every day, numerous exploits emerge from the "black-hat' hacking community, according to Web sites that post security notices. The "black-hat' hackers are so named by computer security experts for their malicious intent.

Advocates for "open-source' software the programming code of which is freely available fault the reluctance of software companies to acknowledge security holes for the ongoing success of digital rogues.

"If we control the distribution of information, we're essentially making sure only the bad guys have it,' said Bruce Perens, senior research scientist for George Washington University and vice president of SourceLabs, Inc.

In most cases, system administrators only learn of a vulnerability after it has been exploited and a developer has had time to produce a fix.

With the California Security Information Breach Act, which went into effect in 2003, companies and institutions are now compelled to inform people when their personal information might have been compromised.

In the past two years, Cal Poly has notified 400 students that their personal information, such as Social Security numbers, was posted online, Brum said.

The U.S. Senate is working on the Personal Data Privacy and Security Act, which would extend provisions similar to California's law across the nation.

School officials are urging those possibly affected to visit www.csupomona.edu/notices/security to find information about identity theft, as the information could be used for fraudulent purposes.

By calling (909) 979-6100, individuals can learn if their information is at risk.

"This isn't the first time this happened at a campus, and it won't be the last, but we're taking every step to make sure this won't happen again,' Fremont said.

Staff writer Esther Chou contributed to this report. Kenneth Todd Ruiz can be reached at (909) 483-8555 or by e-mail at todd.ruiz@dailybulletin.com

main page ATTRITION feedback