An email was sent on Sept. 3 notifying Sonoma State University students of the breach of security of the service provider We End Violence. The program was designed to teach students of the repercussions of sexual assault, and was required to be completed before registering for classes in the 2015 spring semester.
The email assured students that no social security numbers, driver’s license numbers or credit card information was disclosed, however, data such as passwords, gender, race, ethnicity, age, relationship status, sexual identification, student ID numbers, name and email addresses were compromised.
“To the best of my knowledge, the technical details of how the breach occurred have not been made public,” said Andru Luvisi, information security officer of police and safety services at Sonoma State.
From the information that has been provided, it can be determined that the breach was conducted through a third party vendor providing web-based sexual assault prevention training to students. According to the email, the web server has been taken down and is currently not available from this provider. The deadline to complete the Agent of Change training will also be extended due to such service outages. Another email will be sent when the site is back up with the new deadline.
Luvisi stated he did not know whether or not this service was specifically targeted or whether the attackers just found a vulnerable server that they could exploit. However, he confirmed that 5948 Sonoma State students potentially had some information compromised, including the username and password that they used to register for the training.
“Because many people reuse the same password for multiple accounts, we are requiring those students who registered with We End Violence to change their Seawolf password before the end of September,” said Luvisi. “We also recommend that they change their password for any other service with which they used the same password”
Another follow up email was sent on the Sept. 9, which requested students to change their Seawolf password early.
“The CSU is required under federal Title IX to provide sexual assault prevention education to students. Title IX is a comprehensive federal law that prohibits discrimination on the basis of sex in any federally funded education program or activity,” said Susan Kashack, associate Vice President of Marketing and Communications. “Student and employee’s personal information is a highest priority.”
The student body of Sonoma State University is in shock over the breach of information.
“I think it’s disturbing that information was accessed. I changed my passwords as the email requested but it still scares me that other people’s information is at risk,” said junior, Meghan Hill.