CSU San Marcos was hacked in October

California State University, San Marcos announced on Sunday that its students were notified of a successful hacking incident in October that resulted in school directory information being stolen from the university.

CSUSM’s IT security team discovered that the university’s internal network had been infiltrated by an unknown actor on Oct. 1 and quickly restricted the actor’s access once the incident was discovered. The university said it notified staff and faculty on Oct. 6.

An internal investigation revealed that information of students and staff — including names, email address and campus phone numbers — was accessed by the hacker. Administrators recommended faculty, staff and students change their passwords.

Following the attack, CSUSM implemented a multi-factor authentication system from the cybersecurity company Duo Security for students, faculty and staff.

Kevin Morningstar, CSUSM’s dean of instructional and information technology services chief information officer, told CSUSM’s student newspaper the university had plans to roll out multi-factor authentication in February 2020, but the COVID-19 pandemic pushed back the project.

“Ultimately, multi-factor is adding that element of physical presence that you really need in the virtual world because everything else is online. The only thing that really controls it is something you have physical possession of,” Morningstar said.

More than 18,000 faculty, staff and students have enrolled in the multi-factor system as of Dec. 4, according to CSUSM’s IT security team, after it was made available two weeks prior.

Many other universities have also fallen victim to cyberattacks this year, inducing Michigan State University, the University of California San Francisco and the University of Utah. According to Verizon’s 2020 Data Breach Investigations Report, U.S. educational institutions endured 819 cyberattacks last year, 665 of which involved ransomware.