Eight of the 23 California State University campuses’ data were breached through a vendor of the new mandatory sexual assault training – which did not include Fresno State.
Last semester, federal law and the California State Auditor began requiring colleges and universities to provide students with a mandatory online sexual assault prevention training.
Each of the CSU campuses had the option of choosing one of three vendors that were conducting the required trainings, said Fresno State Chief Information Officer Orlando Leon.
“The CSU system generally provides each CSU campus a bit of flexibility by providing a few vendors for any particular technology,” Leon said.
The eight universities that chose We End Violence (WEV), one of the CSU-approved vendors, were affected by the data breach. About 79,000 students from CSU Channel Islands; San Bernardino; Maritime Academy; Northridge; Cal State Los Angeles; California Polytechnic University, Pomona; San Diego State and Sonoma State University were affected.
Fresno State, along with the other 14 campuses that chose Haven or Not Any More, the third option, were not affected.
“No system is 100 percent secure, but the vendor has not reported any major security breaches, to our knowledge, and the CSU Chancellor’s Office has provisions in place regarding notification and liability, if a data breach ever occurs,” Leon said.
Although no additional security measures were initiated as a direct result of the incident, Fresno State is actively implementing several security initiatives and researching others in collaboration with our CSU Chancellor’s Office, Leon added.
The data breach, which was discovered Aug. 28, disclosed information such as sexual orientation, email and mailing addresses, gender, ethnicity, age, relationship status, sexual identity, and the user ID and password created by the student in order to use the online training tool were also part of the data exposure, said Toni Molle the CSU director of public affairs. But did not include Social Security numbers, driver’s license numbers, credit card data or other personal identifiable information.
“Protecting student data and personal information is a top priority of the CSU [system],” the Cal State University Office of the Chancellor said in a statement. “As soon as it was learned that student information was exposed by a third-party vendor (hired to provide web-based sexual assault and prevention training), immediate action was taken at the eight impacted campuses to further safeguard student information.”
The impacted students were advised to immediately change their CSU password if the same password is used for their banking, social media accounts or other online activities, the Office of the Chancellor said. A toll-free telephone hotline was also established by the vendor to answer students’ questions about their data, credit reports and other inquiries.
“As a special safeguard, the impacted campuses have erased all existing student login information for the impacted students,” Molle said. “This has been done in the event the students used the same login and password for the online training.”
The vendor has also launched a formal investigation of the matter using a third-party forensic firm, she added.
“It is no longer a matter of ‘if’ we are hit with a security breach but ‘when,’” Leon said. “This is why it is very important that Fresno State and the CSU system takes a more proactive approach to securing our technology systems, negotiating proper contracts, and educating our students, staff, and faculty.”