Decade old virus harvests information from college computers

At the City College of San Francisco, an infestation of viruses has reportedly harvested data for over a decade undetected.

One of the college's computer labs was immediately shut down by the CTO David Hotchkiss after one of the viruses was discovered. The virus in question has led to fingers being pointed at China and Russia, due to the transmission of user data mainly being sent to these respective countries for an estimated decade. Data has also been sent to other countries including Iran and the U.S itself.

Shortly after the Thanksgiving holiday, the college's data security monitoring service, USDN, detected at least seven viruses activated each day at 10 p.m. This included all facets of the network, from administrative to wireless components.

Authorities have not yet ascertained exactly what information has been stolen, although it is suspected that the data transmitted is primarily personal information and financial data such as credit cards -- affecting all previous users of the computers, from students to staff members.

It is possible that thousands of users have become victims of the virus infestation. According to California state law, these victims must be notified as the investigation takes place.

The virus gained this information by logging keystrokes and recording screen images. It is possible that the malware has been able to spread to other computer systems if users have downloaded data at any point through flash drives, a well-known popular choice for students to use.

The server containing medical information of students and employees, at least, is apparently virus-free.

Hotchkiss, in a discussion with college trustees, said: "we may never know the full extent of the damage and how many lives have been affected by this. These viruses are shining a light on years of [security] neglect."

The reasons behind why this was able to remain undetected for so long are likely to be the same issues that affect colleges across the world -- inadequate funds, a lack of computer security awareness, and outdated networks unable to cope against constantly evolving malware and cyber attacks.

Hotchkiss is reported to have been appalled at the computer systems when he first began working at the college. An archaic network, outdated technology, 'technophobic' staff and inadequate security measures already ingrained in the college ethos has no doubt played its part in allowing this incredible breach of personal data privacy.

The FBI has been notified and the investigation is expected to take several weeks to ascertain the extent of the infection.

Image credit: Flickr

Related:

• Passwords to become fossils by 2017?
• ISU offers students $1000 to continue tech studies
• Bond University offers cloud computing course to students
• Is the university email system outdated?
• Microsoft's student social network, privacy concerns
• UC Berkeley's email system: Microsoft to Google