Menu
Browse

Cyber Incident Victim: California State University

Date:

Aug 2013

Location:

United States of America

Summary

A California State University campus experienced a web server breach compromising employee and extended learning records, with unauthorized access persisting undetected for nearly a year. Malicious software enabled the extraction of a file containing names, addresses, and Social Security numbers for over 6,000 individuals, alongside birth dates for approximately 500 people. The institution discovered the intrusion during a security review and initiated an investigation confirming the data theft. Notification letters were issued to affected parties following the discovery, with regulatory submissions made to state authorities documenting the incident's scope.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

California State University, East Bay experienced a data breach involving a web server storing employee and extended learning course information. The intrusion occurred on August 23, 2013, but remained undetected until August 11, 2014—nearly one year later—when the university's information security team discovered unauthorized access. Subsequent investigation revealed that an unknown attacker infiltrated the server and deployed malicious software designed to copy sensitive data files. The compromised records contained full names, addresses, and Social Security numbers for 6,036 individuals, with birth dates additionally exposed for 508 people. The targeted server primarily stored employment transaction records, though some extended learning program information was also affected. University officials confirmed the attacker specifically exfiltrated one data file through this malicious tool, indicating deliberate extraction rather than indiscriminate access. The extended dwell time of nearly twelve months between compromise and detection allowed prolonged unauthorized access to the system.

Cyber Incident Image

Upon identifying the breach, CSU East Bay initiated an investigation to determine the intrusion's scope and impact. The university confirmed that only one specific data file containing structured employee information was stolen, with no evidence suggesting broader system compromise or academic record access. Affected individuals—primarily university employees—received direct notifications detailing the exposed personal information categories. CSU East Bay submitted a template of its notification letter to California's Attorney General as required by state breach disclosure laws, publicly documenting its communication strategy. The breach exposed highly sensitive personally identifiable information capable of facilitating identity theft, given the inclusion of Social Security numbers alongside demographic data. No information regarding containment measures, forensic methodology, or post-incident security enhancements was disclosed in the submitted materials. The university's public disclosure occurred on September 6, 2014, through a third-party news outlet, with official notifications presumably distributed shortly before this date based on the discovery timeline.

Sources
Sources available to members
1 source