[ISN] Hackers tap server at Cal State Hayward

InfoSec News isn at c4i.org
Fri Sep 24 03:36:31 EDT 2004


By Ricci Graham
September 23, 2004 

HAYWARD -- A computer hacker somehow gained access to the records of
about 2,000 Cal State Hayward students earlier this month, prompting
campus officials to send out letters warning students that their
personal information may have been compromised.

Kim Huggett, director of public affairs at Cal State Hayward, said on
Wednesday that officials have not determined how the hacker was able
to "briefly gain unauthorized access" to student records through one
of the campus servers.

The computer security breach was brought to the attention of the
university's Information Security Office on Sept. 7, Huggett said.

Cheryl Walton-Washington, the school's chief information security
coordinator, said the New York-based Office of Cyber Security and
Critical Infrastructure Coordination discovered that a campus Web page
had been defaced on or about Sept. 7. The cyber intruder had also
placed two unauthorized files on the server, she said.

Officials there in turn contacted the California State Office of
Information Privacy, which notified university administrators of the
computer breach, Walton-Washington said.

"I can't share with you what they saw, because the server had been
taken offline to begin the appropriate task of investigation,"  
Walton-Washington said.

Walton-Washington said her office has concluded its investigation,
although she concedes that it will be virtually impossible to
determine who the responsible party is.

"That is actually going to be terribly difficult," Walton-Washington
said. "We can't identify who. The most we have is a very benign Web
address, and it's not a person."

The university has taken a number of steps to put additional
fire-walls in place to prevent someone from hacking into the server
again, Walton-Washington said. Asked what they were, Walton-Washington
said: "Action has been taken, but I'd rather not go into detail to
encourage someone else. But we have taken steps to secure this

Dick Metz, the school's vice president of administration and business,
said his office shipped an estimated 2,000 letters to students whose
personal information may have been accessed. Some of the potentially
compromised information includes names, Social Security numbers,
addresses and telephone numbers, Metz said.

"While there is no evidence that the intruder accessed any private
information, we are notifying every student who might be affected so
they can alert a credit reporting agency should they choose to do so,"  
Metz said.

In his letter to students, Metz issued an apology on behalf of the
university, saying, "We consider any breach of our computer security a
serious matter, so please accept our apologies."

Cal State Hayward is the latest campus to have its server illegally
tapped into.

Earlier this year, officials at Cal Poly, San Luis Obispo had to issue
a warning to about 700 students after an online break-in. The same
occurred at San Diego State, requiring officials there to notify more
than 178,00 current, former and prospective students.

More information about the ISN mailing list