Update: Associated Students Server Incident

SJSU Media Relations:
Robin McElhatton, 408-924-1749, robin.mcelhatton@sjsu.edu

December 26, 2018

Dear Campus Community,

We write to provide an update on the incident involving the San Jose State University Associated Students website. As previously reported, SJSU Information Technology (IT) was alerted on December 10, 2018 to an event that may have involved an unauthorized intrusion into the Associated Students website. Upon learning of the incident, we immediately took action and blocked all access to and from the affected server and began an investigation to determine what happened and what information may have been affected. Our investigation has determined that an unauthorized third-party accessed an Associated Students server that stored student, former student, faculty and staff names, email addresses, usernames and passwords that were used in connection with Associated Students applications. No Social Security numbers, financial, banking, or medical information were involved in this event.

Please note that this incident impacted an Associated Students server only. SJSU systems were not compromised and remain secure.

We have no evidence that the information involved in this incident has been misused or that financial fraud or identity theft has resulted or can result from this event. However, out of an abundance of caution, we provided notification to all individuals involved in this event via email on December 26, 2018. We have also established a call center to answer any questions individuals may have. The call center can be reached at 877-209-9599, Monday through Friday from 6 a.m. to 6 p.m. Pacific Time.

Maintaining information security is part of our commitment to providing high-quality education, and we deeply regret any concern or inconvenience this incident may cause. To help prevent something like this from happening again, SJSU IT will be conducting security assessments across third-party entities that are auxiliaries of the university, such as Associated Students, in an effort to prevent any new or additional risks from arising. Further, all Associated Students servers have been isolated and migrated into SJSU technology infrastructure, and are being monitored and managed by SJSU IT. Access to the Associated Students website is now located at sjsu.edu/as.

Thank you,

Bob Lim
Vice President for Information Technology and Chief Information Officer

Frequently Asked Questions

Updated as of December 26, 2018

When did San Jose State University learn of this incident?

We learned of this incident on December 10, 2018, after SJSU Information Technology (IT) received an alert that referenced a cyberattack against the Associated Students website. Upon learning of the incident, we immediately took action and blocked all access to and from the affected server and began an investigation to determine what happened and what information may have been affected.

What personal information may have been affected?

Our investigation determined that an unauthorized third-party accessed an Associated Students server that stored student, former student, faculty and staff names, email addresses, usernames and passwords, which were used in connection with Associated Students applications. No Social Security numbers, financial, banking, or medical information were involved in this event.

Who did it?

We do not know the identity of the perpetrator.

How did the hacker get into the Associated Students server?

The attacker used a malicious software tool to inject unauthorized code to gain access to the server.

What have you done to keep something like this from happening again?

Maintaining information security is part of our commitment to providing high-quality education, and we deeply regret any concern or inconvenience this incident may cause. To help prevent something like this from happening again, SJSU IT will be conducting security assessments across third-party entities that are auxiliaries of the university, such as Associated Students, in an effort to prevent any new or additional risks from arising. Further, all Associated Students servers have been isolated and migrated into SJSU technology infrastructure, and are being monitored and managed by SJSU IT. Access to the Associated Students website is now located at sjsu.edu/as.

Will this result in identity theft or financial fraud?

This incident did not involve the type of data generally used to commit identity theft, such as Social Security numbers or driver’s license numbers. In addition, financial account information was not stored on the Associated Students server. We notified those involved out of an abundance of caution so they can take appropriate steps to protect their information. We have no evidence that information has been misused, or that any financial fraud or identity theft has resulted or can result from this incident. We recommend changing your passwords on a regular and frequent basis, as well as using strong and unique password combinations. Further, you should always remain vigilant in reviewing your financial account statements for fraudulent or irregular activity on a regular basis.

What is Associated Students?

Associated Students is a student-directed, separate 501(c)(3) entity and an auxiliary of SJSU that that provides students with leadership, support and various services. Associated Students is also the official seat of student governance for the campus.

What Associated Students applications were involved?

The applications involved include the SSO Application, Timecard Application, Campus Recreation Application, Book Exchange Application, Lab Registration Application and Silent Auction Application.

How do I change my SJSU email password?

To change your email password, visit the SJSU Set/Reset Password page. This page will prompt you to enter your SJSU ID number. Your username is your 9 digit SJSU ID number. Your SJSU ID is the same as your employee ID or student ID. Your SJSU ID is also printed on the back of your Tower card. Please note that if it has been more than one year since the end of your last semester, you will no longer have an SJSU One account.
 
 


December 14, 2018

Dear campus community,

Out of an abundance of caution, San Jose State University is informing our faculty, staff, current and recent students that on December 10, 2018, SJSU Information Technology (IT) was alerted to a recent event that may have been an unauthorized intrusion into SJSU Associated Student (AS) website. SJSU IT immediately contained the incident by blocking all access to and from AS servers. SJSU IT quickly initiated an investigation by engaging with AS and third-party cybersecurity experts to determine the extent of the AS website intrusion, and whether or not any information had been compromised.

To reiterate, the event affected AS servers only. AS is a student-directed, separate 501(c)(3) entity that provides SJSU students with leadership, support, and various services. SJSU’s main website and university systems were not affected. In addition, SJSU IT isolated and migrated AS servers into the university’s technology infrastructure. Access to the AS website is now located at sjsu.edu/as.

This is an ongoing investigation. Once we learn whether and what information may have been compromised and who may be impacted, SJSU will inform our community, appropriately. At this time, we have no basis for believing that sensitive personal information of our campus community was compromised. Updates will be posted on this page.

Thank you,

Bob Lim
Vice President for Information Technology and Chief Information Officer