A former SF State information security officer claimed in a lawsuit that she was fired in a University attempt to sweep “under the rug” a 2014 hack involving a significant student records breach including financial records and password reset functions.
“We’ve had minor cases,” former employee Mignon Hofmann said of her work at SF State. “This was the most severe case I’ve ever seen.”
The suit, filed in January at the San Francisco Superior Court, accused the University and Board of Trustees of California State University of wrongful termination and whistleblower retaliation. Hofmann is asking for more than $1 million in lost pension, lost past and future earnings and emotional distress, according to court documents.
The University confirmed in a written statement that there was a “security incident in which information that was publicly available was potentially accessed,” but “because there was no breach of personal data, students were not notified and students have no reason to be concerned about their personal information.”
The University and the Board of Trustees of CSU have issued a general denial of all charges and legal wrongdoing, according to court documents.
“SF State denies the allegations in Ms. Hofmann’s complaint and will vigorously defend the case,” the University responded in a statement. “The case is in the early investigatory stage, but SFSU believes the evidence will show that it acted properly and within its rights regarding Ms. Hofmann.”
Current and former University IT professionals were interviewed for this story but did not want to speak on the record. The University wouldn’t comment on which information was accessed.
“The language leaves open the possibility that there was a breach,” said Kevin Poulsen, an information security expert. He was consulted by Xpress but is not involved in this case.
Poulsen said he has heard of IT professionals being fired to avoid the breach disclosure required by California state law, but it’s hard to say how common it is because most often these situations are settled out of court to prevent information from entering the public record.
Information compromised by the breach is described in court documents as “key legacy databases of the University which stored all data on current and past students, financial aid, financial transactions, accounts receivables and interfaces to housing as well as campus wide account management and password reset functions.”
An outside firm first alerted Hofmann to the vulnerability in a University Oracle application server in September 2014, according to court documents. Bryan Seely and Ben Caudill, information security analysts who discovered the vulnerability went to CNN that month with information about the weakness that left government agencies, schools and universities in the U.S. — including San Francisco State — open to possible data breaches.
“There’s no way they can’t do an investigation with the information that I presented to them, saying, ‘Your shit’s on fire bro,’ and they’re just like ‘Nope, we’re good,’” Seely said. “’Like no, your house is on fire, and they’re like ‘No, it’s just smoke, we’re just running a drill.’”
Prior to the alleged breach, Hofmann had recommended improvements to the Oracle database security, which her lawsuit alleges were rejected by her superiors due to “budget constraints and IT security risk acceptances.”
“All I can tell you is this: the networks at SF State were not properly fortified, maintained or secured,” Seely said. “And SF State did not do what they were supposed to do with their own stuff.”
According to court documents, Hofmann had also alerted “University Management, Risk Management, Legal, Campus Police, Internal Audit, Student Affairs, Housing, the University President (Les Wong) and the Chancellor’s Office and other 23 campuses per existing procedures and to share information on the Oracle vulnerabilities.”
“They were risk accepting, they weren’t patching things,” Hofmann said. “It was Swiss cheese.”
The lawsuit alleges that Robert Moulton, the University’s then interim chief information officer, didn’t want to report a security breach “on his watch” and sought to “avoid reporting supporting information that might lead to a breach disclosure.”
Despite a previous “stellar” performance evaluation, Hofmann was terminated before she could further investigate the extent of the hack, according to the suit. The University confirmed that she had been employed at SF State from February 2008 to January 2015 and asserted that her termination was unrelated to this security incident.
Data breaches are potentially very costly, according to a 2016 research report by the Ponemon Institute, which estimated the average cost of a data breach in the education sector at $246 per person affected. Costs associated with repairing a data breach include payment for incident response teams, forensic experts and credit monitoring for those whose information may have been accessed.
“They could have protected themselves and everybody else. But they panicked. They wanted a different answer,” Hofmann said.
According to SF State, there have been six data breaches since 2011, the largest affecting 8,700 families enrolled in the Head Start program, which was reported. The breach described in Hofmann’s suit was not included in the list provided by the University.
Hofmann, who now works in information security at Microsoft said she hopes another university that was affected by this breach comes forward.
“Unfortunately that’s really common in the industry. Most people are incented to say, ‘Oh nothing here,’” She said. “Nobody knows for almost three years how bad this is.”
A trial is set for May 2017.
Timeline of events based on court documents