An ethical hacker accessed the confidential information of students at San Francisco State University in 2014 through an internet security flaw that made the information public, he claimed under oath earlier this month in a court case involving possible Russian hackers.
Bryan Seely, who is known locally for recording calls to the San Francisco office of the Federal Bureau of Investigation to expose a problem with Google Maps, said he was able to view the social security numbers, dorm room assignments, home addresses and birth dates of students at SFSU.
“That’s enough to steal someone’s identity,” Seely said in a deposition July 12.
As an ethical hacker, Seely was investigating a weakness in Oracle software used by government entities around the nation when he stumbled upon the problem at SFSU. Seely said he could access student information at SFSU by deleting a backslash in a link to a server.
Though he only viewed the personal information of a few students, Seely said the vulnerability showed him a username and password that, if used, would have given him access to the “entire back end, not just the housing for San Francisco State.”
“This discovery and this vulnerability shows that the entire system could be compromised by somebody who had the ability, or didn’t care about the ethics of it or going to jail,” Seely said.
When he notified a then-information security officer at SFSU named K. Mignon Hofmann, the university immediately remedied the vulnerability. But Hofmann went on to find even more issues when she inspected the university servers.
Hofmann, who has since filed a whistleblower retaliation lawsuit against the university for firing her, claims that she found evidence that Russian hackers had access to an SFSU server.
Hofmann said she found a Remote Access Trojan, or malware, on a server that she claims traced back to a Russian-denominated IP address.
“We identified a tunnel going back to Russia (yes, sounds like a movie, and we are in it…),” Hofmann wrote to SFSU President Leslie Wong in November 2014. “We don’t yet know how developed the code is nor its objective… The server however had access to the old campus database on students, faculty, financial aid, etc.”
In February 2015, an independent contractor confirmed in a report that there were “attackers” who were able to add, remove or edit files to the SFSU database with the Remote Access Trojan. The report was made public in court filings.
But the Business and Technology Resource Group could not find evidence that the attackers accessed “sensitive data” because the database was not recording their activity, according to the report.
The consultant did find files from the malware including a Bitcoin Miner, which uses computer power to generate the virtual currency.
Despite both incidents, SFSU officials have never notified the public or students of a possible breach and dispute that one happened.
Under state law, universities are required to notify students if their confidential information “was acquired, or reasonably believed to have been acquired, by an unauthorized person.”
SFSU spokesperson Elizabeth Smith said in a statement Wednesday that the university disagrees with Seely’s version of events.
“The university investigated the incident and retained outside experts who also thoroughly examined the situation,” Smith said. “No breach of data was found and no student or employee information was compromised.”
In one September 2014 email obtained by the Examiner, then-Interim Chief Information Officer Bob Moulton acknowledged that there was no record of what the “hackers” accessed, suggesting that there is no way officials could know.
“The Oracle vulnerability we have been working on has gotten worse,” Moulton wrote. “Unauthorized code has been installed on five servers. This exploit allows hackers to execute queries against our databases. The trail of activity goes back to May and we don’t have any way to tell which information was accessed.”
SFSU Vice President Ron Cortez also acknowledged a “breach” in a September 2014 email to Wong, saying that Moulton and his team “continue to attempt to define the extent of the breach.”
Seely said in his deposition he thinks both incidents are breaches. Seely compared the situation to a bank safe where “you don’t have any evidence that someone broke in except someone left a cake that said, ‘ha, ha, ha.’”
“That’s what you have here,” Seely said. “Someone put the cake in there and … they’re not supposed to have access.”
The case is ongoing in San Francisco Superior Court.