The San Francisco Chronicle reported that a data breach at the City College of San Francisco (CCSF) could affect tens of thousands of students, employees, faculty, and staff. After the Thanksgiving holiday, computer viruses were found installed on computers in the college's computer labs.
The computer viruses had been installed as long as 10 years ago, and transmitted stolen data to locations in several countries. The data stolen included personal banking and other sensitive personal data. According to the newspaper report:
"Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran... Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."
The college has posted a page with frequently asked questions to assist its users. the page stated in part:
"Currently there is no evidence that any of the College’s main servers and databases held in trust by the College have been compromised. Our security consultants are still conducting their analysis but it appears at this time that the viruses focused on information taken off individual workstations and computer servers for student labs. Confidential student and employee information is held in trust and stored on District servers. Our network security consultants are continuing their analysis of the servers and we will communicate the results of this work as soon as it is available."
For users that have experienced identity theft or fraud, the college FAQ page directs users to the U.S. Federal Trade Commission (FTC) website for further assistance.
If this FAQ page is the extent of the breach notice by the college, then -- in my opinion -- it is woefully inadequate. It would seem that the data breach caught the school administration unprepared.
The notice should inform users about the results of the breach investigation and actions so this breach doesn't happen again. Since online banking credentials appear to have been stolen, that represents ways for identity criminals to access the bank accounts of breach victims to steal money and/or more personal information: personal data: full names, email addresses, street addresses, Social Security numbers, and mobile phone numbers. With this core personal data stolen, thieves can obtain credit fraudulently.
Given this, the breach notice should also provide contact information and links to the credit reporting agencies. Simply suggesting to users that they change their online passwords is not enough given the personal information exposed. If further fraud happens, the college needs to step in and provide free credit monitoring and resolution services.