Security breach shocks university
Chico State has yet to notify most students or any staff members
CHICO >> Despite a data breach that was revealed Monday regarding a group of students who submitted COVID-19 vaccine religious exemption requests, Chico State has not yet informed all of its affected students as well as faculty and staff.
As of 1 p.m. Tuesday, no university announcement had been issued to staff and students.
“Not every student who filed an exemption request was affected,” said Chico State public relations manager Andrew Staples in response to why students and staff were not notified. “In fact only a small percentage are.”
Of the 130 names on the religious exemptions list, about 10 names and personal identification information were released in an anonymous online message board. Staples said the spreadsheet appeared in a message board in regards to a debate about how to apply for religious exemptions.
Staples said the person who shared the spreadsheet of names, which was dated June 7 to Aug. 10, attempted to “scrub the personable information off of it.” Staples stated the person did not do a great job at it resulting in the information being released. Staples would not comment on which online forum the names were released.
Staples said that the university learned of the breach Monday morning and was contacted by a Sacramento Bee reporter Monday asking to verify the information.
“As soon as we found out we had a potential inappropriate publication of student data we put in a plan to let affected students know,” Staples said.
Staples said as of Monday night a plan to inform students affected was in process but he would not comment more. He added the university is currently reaching out to the hand full of students whose personal information was exposed.
Chico State journalism chair Aaron Quinn said he has submitted plenty of digital information that anyone would want to remain private to the university and has never had any problem with it before. He said he would have liked to hear directly from the university rather than hearing it from the local news media outlets alone. Quinn said he asked one of his classes Tuesday morning about the breach and around 75 percent of his class did not know about the incident and was in shock.
“So overall, I think the university handles that private information well. But this case there was some sort of breach, and we don’t know what sort of breach it was,” Quinn said. “I don’t know how
“I think our generation is getting used to having no information private but it would be nice to in school. We’re not here to get our information stolen, we’re here to learn.” — Brady Brandt, Chico State junior
it was done, but any time you have humans involved there’s going to be human error. This doesn’t make me fear generally how the university handles data. But if it were to happen in the future, if things like this keep arising, then it would certainly have me pretty worried and scrutinized.”
Staples said Chico State is currently working with the University Police Department to investigate the incident. The first priority is to shore up any information technology vulnerabilities or security vulnerabilities which it has been doing since learning of it Monday. The second priority is working with police to see if it is able to determine how the information was obtained, who is responsible and if the university can hold whoever is responsible accountable.
“With the investigation in its early stages it would be premature to speculate on what the charges would be if the information was unlawfully obtained,” Staples said.
Staples said the system in which the information is stored and where students make their declarative statement is within Chico State’s secure network and is not outsourced.
“The information is protected student information. We take our responsibility to store students protected information very seriously,” Staples said.
Staples said those who may be hesitant to trust a process such as this in the future should know the university takes it seriously.
“I’d say we’re doing everything we can to make sure that the systems we use are as secure as possible and Chico State takes our obligation to protect students’ confidential information as seriously as possible and we’re taking all necessary steps to sure up our IT systems.”
With the California State University system requiring staff and students to submit vaccination certification by Sept. 30, Staples said there is no plan in place for alternative methods of submitting vaccination records or religious or medical exemptions.
Students react
Students at Chico State had mixed reactions upon learning of the data breach, some for the first time.
Alex Collanton said he had heard about the breach and said he does have less trust in sharing medical out personal information after the incident. He said it will be hard to regain that trust and isn’t quite sure how that trust can be rebuilt at this point.
Chico State junior Brady Brandt said he was one of the students on the religious exemption list and was representing a club Tuesday outside of the Merriam Library. Brandt said he had not learned of the data breach, but he added he wouldn’t be surprised if his information was leaked because his name is towards the top of the alphabet.
Brandt said he did not mind his information being leaked. He said the worst thing that could happen is that people know he disagrees with the vaccine mandate, and he is OK with that.
“I think our generation is getting used to having no information private but it would be nice to in school,” Brandt said. “We’re not here to get our information stolen, we’re here to learn.”
Brandt stated he is willing to wear masks wherever and submit COVID-19 tests as needed to comply with school regulations required.
Chico State junior David Rice, a member of the Chico State Christian club Challenge, said that he did not submit a religious exemption and is not worried about the incident.
“I trust the school as long as they truly are putting their
100 percent effort into it,” Rice said.
Fellow Challenge club member David Devel agreed with Rice and said that there is human error in everything and nothing is perfect. Devel said if there was a second data breach, it may change his views.
“If the information was used to go after people then there’s a problem,” Devel said.