Breach Exposes Relationship Info on Pupils in Cal State Sexual Harassment Course

A university-hired vendor offering students mandatory online sexual violence prevention courses called We End Violence was hacked.

The noncredit classes are required of all the school’s students by state law.

Data at two other companies providing the classes was not broken into.

Cal State officials said there was a “vulnerability in the underlying code” at We End Violence.

Information such as passwords used to log into the class, as well as sign-in names, campus-issued email addresses, gender, race, relationship status and sexual identity were exposed.

We End Violence was first alerted to a possible breach on Aug. 24. The website was shut down two days later. Students weren’t notified by the company until Sept. 4.

“We were working as quickly as we could and had to be sure we had the correct student list and that the CSU system was aware of what was going on … so they could provide their own responses,” Carol Mosely, director of We End Violence. “We believe in shutting down the website on the 26th we were protecting students at that point.”