Cyber Incident Victim: California Northstate University

California State University, East Bay experienced a breach of a web server storing personal employee information, discovered by the university’s information security team on August 11, 2014. The intrusion had occurred nearly one year earlier on August 23, 2013, remaining undetected until the discovery date. An unauthorized individual gained access to the server, which housed employment transaction records and certain extended learning course information. The attacker utilized malicious software to copy a data file containing sensitive personal details. The compromised information included full names, addresses, and Social Security numbers for 6,036 individuals. Birth dates for 508 individuals were also exposed in the same file. The university initiated an investigation following the discovery to determine the breach’s scope and origin.

The subsequent investigation confirmed the attacker’s method involved exploiting the server to extract the targeted data file. No evidence suggested misuse of the stolen information at the time of disclosure. Impacted individuals consisted primarily of employees whose employment records were stored on the compromised system. The university notified all affected parties about the exposure of their personally identifiable information. A template of the notification letter was submitted to the California Attorney General’s office, fulfilling state regulatory requirements. The breach’s nearly year-long undetected presence indicated a failure in timely security monitoring. University officials publicly acknowledged the incident but did not disclose specific remediation measures taken beyond the investigation and notifications.