Articles

40,000 Student Records Exposed in Cabrillo College Hack

The attack on the California community college’s server potentially compromised 12,000 student Social Security numbers and the sensitive records of 28,000 other students.

by Nicholas Ibarra, Santa Cruz Sentinel / October 11, 2017
Shutterstock

(TNS) -- APTOS, Calif. -- A hack into a Cabrillo College server may have exposed personal information of 40,000 students, the school announced Friday.

The Social Security numbers of 12,000 students were potentially compromised in the breach as well as passwords, names, dates of birth, addresses and emails of 28,000 additional students, according to Cabrillo spokeswoman Kristin Fabos.

The first known hack in the community college’s history comes just a month after Equifax announced the largest data breach of all time, affecting the data of more than 143 million Americans.

All 40,000 affected students were notified via email Friday, and those whose Social Security numbers may have been exposed were also mailed a letter, Fabos said.

“We do not have evidence that the information was accessed or used but because it was exposed out of an abundance of caution we’re notifying all students who were affected,” Fabos said.

Cabrillo is also offering affected students a year’s membership to a credit monitoring and identity protection service.

The hacked server stored information dating back to 2009 collected as part of the student orientation process, Fabos said. While now the school uses unique student ID numbers, up until a few years ago Social Security numbers were used to identify students, she said, which is why that information was stored on the server.

Fabos said Cabrillo became aware of the breach Sept. 5 after its internet service provider notified the school that it had detected unusual activity. After investigating, staff determined an unauthorized person had gained access to the server. The server was immediately disabled and an investigation began into what information could have been compromised.

Identity theft is the primary concern with this type of data breach, said Ethan Miller, a computer engineering professor who directs the Center for Research in Storage Systems at UC Santa Cruz. Another key question about the breach is whether passwords were encrypted on the server or stored in what is known as “plaintext.” If the passwords were stored in encrypted form, then they would not easily be decipherable to the attacker, Miller said. While security experts such as Miller recommend that passwords never be recycled across multiple accounts, it remains a common practice.

Since discovering the breach, Fabos said the school has improved security of its orientation system and implemented a more secure password storage system. But she was unable to confirm how the passwords had been stored or whether the server was secured to industry standards. She was also unable to confirm when the server was first accessed and whether the breach was isolated to a single incident.

Cabrillo retained a law firm experienced with similar incidents to help with the school’s investigation, and a state audit is expected to begin later this month.

Miller recommended that anyone whose information may have been affected should freeze and monitor their credit and immediately change any potentially duplicated passwords.

Anyone whose information may have been affected is asked to call 888-396-9528 with any questions about the incident or to take advantage of the identity protection services.

©2017 the Santa Cruz Sentinel (Scotts Valley, Calif.) Distributed by Tribune Content Agency, LLC.