CSUSM’s internal network hacked; university launches two-step authentication system


Screenshot of IITS' website

An unknown actor infiltrated the CSUSM network in October. The school has now launched a two-step authentication system to improve security.

Ruben Santana, Staff Writer

Instructional & Information Technology Services (IITS) issued an email notice to the entire campus community on Oct. 6 that CSUSM’s internal network had recently been infiltrated by an unknown actor.

An Information Security unit identified the harmful incident took place overnight from Oct. 1 into the early morning hours of Oct. 2. According to the IITS email, the incident “resulted in some user directory information (first name, last name, email address, campus phone number) being obtained.”

As soon as IITS became conscious of the event, they quickly restricted the actor’s access and administered an internal investigation. In addition, IITS strongly recommended all faculty, staff and students to change their passwords.

Kevin Morningstar, IITS Dean and Chief Information Officer, said when cybersecurity incidents like this one occur, they become IITS’ highest priority. “We drop everything. That becomes the focus regardless of what else is going on,” said Morningstar in an Zoom interview with The Cougar Chronicle.

Christine Vaughan, Director of Communications in The Office of Communications, also joined in on the Zoom call with Morningstar and The Cougar Chronicle. 

“IITS works every day to protect our campus to provide technology to make sure we are secure,” said Vaughan. “[T]hey really pulled off a miracle for our campus.”

Following the cybersecurity attack, IITS implemented Duo Security, a multi-factor authentication system designed to add another level of security. Morningstar said that Duo “has been an initiative within the CSU” for over a year.  

At CSUSM, there were plans to roll out Duo in February 2020, but the COVID-19 pandemic pushed back those plans. At that time, “It became focused on students receiving financial aid only and there were about 6,000 students that did enroll in order to receive this COVID related financial aid,” said Morningstar.

The rationale behind Duo’s original intention at that point was to protect students’ security with direct deposits. Morningstar said it is typical for malicious actors to redirect people’s bank deposits to another location, “which had been a known occurrence in higher ed in the United States.”

“Ultimately, multi-factor is adding that element of physical presence that you really need in the virtual world because everything else is online. The only thing that really controls it is something you have physical possession of,” Morningstar said.

Morningstar said that people should recognize that  “Passwords are not up to the task in our modern society.”

IITS emboldens “every member of the CSUSM community to put two-factor [authentication] on everything from your social media to your banking to every system,” said Morningstar. “Every time you accept two-factor authentication on your phone, you ought to smile and say, ‘That’s keeping that resource safe.’”

Over 18,000 faculty, staff and students were enrolled in Duo as of Dec. 4. “That happened in just a little over two weeks, which is actually an amazing feat for both the campus community and from a technical perspective,” said Morningstar.

To the best of IITS’ knowledge, “no one in the United States higher education environment has rolled out over 18,000 individuals and deployed” the multi-factor authentication system “in two weeks.”

Overall, the experience has turned out relatively well, said Morningstar, adding that he hadn’t seen any “stress or concern” and students appear to have been “very thankful for the protection.” 

Jeffrey Ray, a lecturer of the art, media and design department within the School of Arts, explained that the whole situation was “very secretive” and there was an “urgent faculty meeting” called at a “very specific time” amongst his professional colleagues. 

Ray said he had “no idea” as to what happened once the condition started to escalate in the beginning. “It still was mysterious because I don’t know who, what, when, why. I still don’t know.” 

Although he mentioned that “There was really not much information given and hasn’t been much information since” at least for him, Ray did not wait to follow IITS’ recommendations.

Ray also added that because he is familiar with technology, he found it easy to set up Duo. He also said he watched a video to make sure he was “doing everything right” and so that he could better explain to his students how Duo worked.

Dorian Merino, a fifth year student majoring in art, media and design, said she was worried about her “information being leaked” as her and her father’s bank information is stored in the university’s systems.

About the hack, Merino said that it could have been a lot more concerning, and said that she knew IITS would be “capable of taking care” of the problem.

Charles Harris, a senior also majoring in art, media and design and minoring in computer science, said that he “wasn’t too shocked or surprised” when the hacking took place. 

He said, “I have sensitive data stored” on the campus servers and “I’m sure everybody else does too.” From the time Harris read the email notice, he didn’t immediately follow the recommendations set forth by IITS to change his password.

For more information, please visit IITS’ website at csusm.edu/iits/. To view IITS’ recent notices, see the below links: 

Oct. 6 announcement

Nov. 30 announcement

Dec. 10 announcement