Bank, credit card information stolen through Stan State eateries

January 12, 2008

By Michelle Hatfield

Some people using a bank or credit card at California State University, Stanislaus, dining facilities within the past six months appear to have had their personal information stolen.

A possible data breach occurred on a food vendor's computer server. Credit card numbers, cardholder names and expiration dates were exposed, leaving hundreds, possibly thousands, of university students, staff and guests open to identity theft, with victims reporting fake charges on their cards, officials said Friday.

Social Security numbers were not accessible, they said.

Investigators are determining how many people are affected. Credit and bank card transactions have been suspended in Stanislaus State's main dining hall, Mom's coffee shop and Pop's convenience store. Campus dining averages 2,500 customers and 300 to 400 charge transactions daily through Sodexho, the campus's food vendor.

About 5,000 students are taking winter term classes this month between the fall and spring semesters. It is possible the card information was stolen as early as the fall semester, when more than 8,800 students were on campus.

University police do not have any suspects, according to Chief Steve Jaureguy.

Information about the breach came to the attention of university leaders in November when someone's credit card information was used fraudulently. University police launched an investigation with the Stanislaus County Hi-Tech Crime Task Force, district attorney's office and Sheriff's Department.

Jaureguy said numerous victims have come forward, including students, employees and university visitors, but he would not reveal how many. Illegal purchases have been made at off-campus locations, but officials wouldn't release a dollar figure. University police would not provide details about where or what has been bought with the stolen information.

Officials would not release how the personal information was stolen from the Sodexho server, but other university servers don't appear to have been affected. The breach doesn't appear to be an instance of hacking but of the information being made available and people taking advantage of that, Jaureguy said.

Notification held back

Investigators narrowed their search of the leak to Sodexho on Monday. Students and staff were notified via e-mail Friday, two months after the first reported identity theft. Authorities waited because there was no telling where the breach came from, said Kristin Olsen, university spokeswoman.

"The reason (for the delay) was University Police and the Hi-Tech Crime Task Force did not want to compromise the investigation," she said.

Campus dining won't accept bank or credit cards until Sodexho's on-site server is secure, which officials had hoped would be Jan. 11.

In the future, "the university will be certifying that computer systems on campus are complying with security features," Ol-sen said. She was unsure whether any certification existed before the breach.

Sodexho spokesman Anthony Owens said the company is working with investigators but said there's no evidence linking its servers to the breach.

Sodexho serves food to 10 million customers in the United States, Canada and Mexico at corporations, health care agencies, schools and government offices, according to its Web site. The company has been at Stanislaus State since 1998, and since 1992 as Marriott before the two merged, Olsen said. Owens said the relationship dates to 1966.

Stanislaus State has had security breaches in the past. The most recent was the 2005 hacking into a file server in the financial services office in which 877 student workers' names and Social Security numbers were accessed. Also in 2005, nearly 1,300 former and current employees had their names, addresses and Social Security numbers and those of their dependents put into an Internet cache system, Olsen said.

Information was stolen at the University of California in November 2006, which affected about 1,300 current and former employees -- 468 of them student employees -- at UC Merced. The security attack was on a UC system database in Los Angeles; 800,000 people at UC Merced, UCLA and the UC Office of the President in Oakland had their information compromised, making it one of the largest database breaches at a U.S. university.

Anyone who has used a bank or credit card at a campus dining facility in the past six months is encouraged to review bank or credit statements for fake purchases. He or she also can call University Police at 667-3114 or visit the California Office of Privacy Protection's Web site at

main page ATTRITION feedback