CSU San Marcos was hacked in October

Students, staff and faculty were notified earlier this year that a malicious actor had accessed sensitive data, prompting an upgrade to multi-factor authentication.
California State University, San Marcos campus
(California State University, San Marcos)

California State University, San Marcos announced on Sunday that its students were notified of a successful hacking incident in October that resulted in school directory information being stolen from the university.

CSUSM’s IT security team discovered that the university’s internal network had been infiltrated by an unknown actor on Oct. 1 and quickly restricted the actor’s access once the incident was discovered. The university said it notified staff and faculty on Oct. 6.

An internal investigation revealed that information of students and staff — including names, email address and campus phone numbers — was accessed by the hacker. Administrators recommended faculty, staff and students change their passwords.

Following the attack, CSUSM implemented a multi-factor authentication system from the cybersecurity company Duo Security for students, faculty and staff.


Kevin Morningstar, CSUSM’s dean of instructional and information technology services chief information officer, told CSUSM’s student newspaper the university had plans to roll out multi-factor authentication in February 2020, but the COVID-19 pandemic pushed back the project.

“Ultimately, multi-factor is adding that element of physical presence that you really need in the virtual world because everything else is online. The only thing that really controls it is something you have physical possession of,” Morningstar said.

More than 18,000 faculty, staff and students have enrolled in the multi-factor system as of Dec. 4, according to CSUSM’s IT security team, after it was made available two weeks prior.

Many other universities have also fallen victim to cyberattacks this year, inducing Michigan State University, the University of California San Francisco and the University of Utah. According to Verizon’s 2020 Data Breach Investigations Report, U.S. educational institutions endured 819 cyberattacks last year, 665 of which involved ransomware.

Betsy Foresman

Written by Betsy Foresman

Betsy Foresman was an education reporter for EdScoop from 2018 through early 2021, where she wrote about the virtues and challenges of innovative technology solutions used in higher education and K-12 spaces. Foresman also covered local government IT for StateScoop, on occasion. Foresman graduated from Texas Christian University in 2018 — go Frogs! — with a BA in journalism and psychology. During her senior year, she worked as an intern at the Center for Strategic and International Studies in Washington, D.C., and moved back to the capital after completing her degree because, like Shrek, she feels most at home in the swamp. Foresman previously worked at Scoop News Group as an editorial fellow.

Latest Podcasts