UAS COMPUTER INTRUSION
FREQUENTLY ASKED QUESTIONS
Cal State L.A. recently learned that, through unauthorized access, a computer on campus was being used to scan another university’s computer network. The Division of Information Technology Services tracked the suspicious activity to a University Auxiliary Services, Inc. server and immediately secured the server to prohibit continued intrusion. (A server is a computer that is used to store data that is shared with multiple users.)
Using malicious software applications or malware over the Internet, the intruder(s) had installed malware on the UAS server. This allowed the intruder(s) access to the UAS server and, subsequently, to server files. (Malware can be described as a virus or worm infecting the host computer.)
How was the breach allowed to occur? Why was the server vulnerable?
Two key factors likely played a role in creating an insecure environment: lack of adequate complexity in passwords and usernames, and lack of timely implementation of software updates and security patches. As UAS is an auxiliary unit, its server was operated independently from the University network.
What type of information was breached?
The server housed information used to process and prepare payroll for UAS employees — specifically the names and Social Security numbers for at least 6,601 individuals dating back to 1999. The server did NOT store any of the following: credit card numbers, driver’s license numbers or personal identification numbers (such as banking PINs).
How long had information been vulnerable?
It has not been determined exactly how long the information had been exposed to the unauthorized access. The information is no longer susceptible to a breach attack.
Is there evidence that a crime occurred?
As of Nov. 3, 2008, no evidence has been found that a crime has occurred; and no additional suspicious activity has been reported regarding the incident, including from individuals with information on the server.
Were any other University information resources compromised?
No other University information resources were compromised.
What is University Auxiliary Services, Inc.?
UAS is a recognized organization of the California State University system. UAS coordinates and provides financial support services, human resources management, and contracts and grants administration to the University. It is also responsible for commercial operations on the campus, which include bookstore operations, campus food services and child care services.
What individuals and organizations are potentially affected by this incident?
Only individuals who had payroll processed by UAS are potentially affected by this incident.
If I worked under an UAS-administered program and am concerned about threats to personal information, how can I find out more information?
A toll-free call center has been established. The number is (800) 883-4029. The call center will operate weekdays between 9 a.m. and 8 p.m., and on Saturday, Nov. 8, 2008 between 9 a.m. and 2 p.m.
What immediate actions did the University take to secure the system when it discovered the breach?
The University immediately took the server off-line and began an investigation to determine if any other UAS or University systems were affected. The investigation found that there was only one server involved in the breach.
What has the University done subsequently in response to the incident?
The impacted server will be replaced and housed under the ITS security network for greater security.
What can I do to protect myself if someone obtains my information without authorization?
Visit the following sites for helpful information:
- State of California Department of Consumer Affairs Office of Privacy and Protection, http://www.privacy.ca.gov/cover/identitytheft.htm
- Cal State L.A.’s “Are You Secure?” site, /its/itsecurity/
- The Federal Trade Commission, http://www.consumer.gov/idtheft
Consider contacting the credit-reporting agencies listed below to complete an automated phone-in fraud alert process. When you request a free fraud alert, the agencies will automatically place fraud alerts on your accounts listed with them, and they will separately mail you a credit report at no cost.
- Equifax (800) 525-6285 www.equifax.com
- Experian (888) 397-3742 www.experian.com
- TransUnion (800) 680-7289 www.transunion.com
What notifications have been sent?
Notification has been sent to all UAS board members and other individuals who could be affected by the breach. An alert was e-mailed campuswide and also placed on the UAS website.