The San Francisco Chronicle reports on a five-year security breach that affects the personal data of students of the City College of San Francisco:
Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called “an infestation” of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned.
At work for more than a decade, the viruses were detected a few days after Thanksgiving, when the college’s data security monitoring service detected an unusual pattern of computer traffic, flagging trouble.
It appeared at first that the problem was contained in a single computer lab at Cloud Hall on the Phelan Avenue campus, one of a dozen City College sites around the city. […]
But a closer look revealed a far more nefarious situation, which had been lurking within the college’s electronic systems since 1999. For now, it’s still going on. So far, no cases of identify theft have been linked to the breach. That may change as the investigation continues, and college officials said they might need to bring in the FBI. […]
Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, [David Hotchkiss, the school’s chief technology officer,] and his team discovered. Servers and desktops have been infected across the college district’s administrative, instructional and wireless networks. It’s likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.
Some of the stolen data is probably innocuous, such as lesson plans. But an analysis shows that students and faculty have used college computers to do their banking, and the viruses have grabbed the information, Hotchkiss said. […]
State law requires that cyber victims be notified when personal information has been stolen, and college officials are trying to determine who needs to be told. The college is analyzing 17 computer systems thought to be at risk.