A data breach at California State University (Cal State) has put the personal information of almost 80,000 students at risk.
University officials reported earlier this week that compromised systems at eight of the school's campuses exposed the personal information of students currently enrolled in an online sexual violence prevention course.
The class is conducted by an outside vender, We End Violence, and is a non-credit course required for all students. According to a Cal State spokesperson, We End Violence is one of three third party vendors the school contracts for the course. The other two companies were not affected in the breach.
Authorities currently have very few details about how the hack took place, other than the fact that it was the result of a "vulnerability in the underlying code," according to the Los Angeles Times. An investigation is currently ongoing.
The students' information that was exposed included login and passwords for the class, school email address, gender, race, relationship status and sexual identity. Billing information, such as Social Security, credit card and driver's license numbers were not included in the hack.
"Protecting student data and personal information is a top priority of the California State University," read a statement issued by the chancellor's office. "As soon as it was learned that student information was exposed by a third-party vendor (hired to provide Web-based sexual assault and prevention training), immediate action was taken at the eight impacted campuses to further safeguard student information."
The affected campuses included Channel Islands, Los Angeles, San Bernardino, Maritime Academy, Cal Poly Pomona, Northridge, San Diego and Sonoma.
This case shows why it is important to factor outside suppliers into a disaster recovery plan. Companies that have yet to develop their own disaster recovery strategy can partner with a business continuity consultant that has extensive experience handling these issues.