Members of Associated Students at San Jose State University can feel at ease about the state of their personal information — for now.
The university said they have “no evidence” that a hacker’s claim that he infiltrated the group’s server — which is separate from the school’s — and got access to Social Security numbers, email addresses and driver’s license numbers is accurate.
A New York-based data firm, Identity Finder, said on their blog the database breach was “extensive” and included things like job applications and even poetry:
“The database included a wide range of information from 2003 through 2012 including event registrations, poetry, job applications (including work histories, references, and questions regarding past convictions), work schedules, time cards, funding receipts, book exchange information, polls, job postings, laptop inventories, and website content.”
The potential fan of the 90s movie “Hackers” decided to make his supposed accomplishment public by posting on Twitter that he was in possession of private information.
SJ State acknowledged a breach in the system, but has consistently denied the claims of the hacker known only as “S1ngularity.”
Despite the lack of information to suggest his claims are true, university spokeswoman Pat Harris said that the university will continue its probe in the situation:
“We have no evidence to suggest that the claims are accurate, but we take these claims seriously and will continue to look into the situation.”
Identity Finder alerted the media after it analyzed nearly four gigabytes of unencrypted data that contained emails, addresses, phone numbers, passwords and 10,000 student identification numbers — not Social Security numbers, as had been feared.
The firm’s blog said they tried calling some of the phone numbers found in the breached data, and were able to reach voice mailboxes that included the subject’s name. In two cases, SJ State students reached by the firm confirmed they had recently applied for jobs with Associated Students.
Aaron Titus, the firm’s chief privacy officer, said the numbers were valid but there were no names attached to any of them.
Titus said that the hacker used an SQL injection, which “tricks” the server into releasing information. The data goes back 10 years and includes administrative materials such as event registrations, job applications and work schedules.
The motive for the hack is not immediately known.