Hackers Compromise Cal State, Excellus BCBS Data

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Tens of thousands of Cal State students' data and millions of Excellus BlueCross BlueShield customers' personal information may have been exposed as a result of recent cyber attacks.

In Cal State's case, no university systems were hacked -- the victim was the third party vendor We End Violence, which Cal State had contracted with to teach classes on sexual harassment, according to the Los Angeles Times.

The breach, which was discovered on August 24, 2015, potentially exposed the personal information (name, student ID number, user name, password, campus email address, gender, race, relationship status, and sexual identity) of almost 80,000 students who took We End Violence's classes.

"In an abundance of caution, we took down the Agent of Change website on August 26, 2015," We End Violence director Carol Mosely wrote in a notification email [PDF] to those affected. "Third-party computer forensics experts were retained to assist with an investigation into the nature and scope of any intrusion."

The Cal State campuses impacted by the breach are Channel Islands, Los Angeles, San Bernardino, Maritime Academy, Cal Poly Pomona, Northridge, San Diego and Sonoma. All affected students will be required to change their passwords, and are being advised to be wary of potential phishing emails.

10 Million Records

Separately, the New York health insurer Excellus BlueCross BlueShield discovered a breach of its IT systems on August 5, 2015. A subsequent investigation determined that the breach began on December 23, 2013.

NBC News reports that more than 10 million records may have been accessed, including those of customers of Excellus affiliates Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies and Univera Healthcare.

The data potentially exposed includes customer names, addresses, phone numbers, birthdates, Social Security numbers, member identification numbers, financial account information and claims information. All those affected are being offered two years of identity theft protection from Kroll.

"Along with steps we took to close the vulnerability in our IT system, Excellus BCBS is taking additional actions to strengthen and enhance the security of our IT systems moving forward," Excellus president and CEO Christopher C. Booth wrote in a notification letter [PDF] to those affected.

Large ROI for Hackers

According to the findings of Gemalto's Breach Level Index for the first half of 2015, the number of data breaches in 1H 2015 increased by 10 percent compared to the first half of 2014, with the healthcare sector accounting for 34 percent of all compromised data records.

"What we're continuing to see is a large ROI for hackers with sophisticated attacks that expose massive amounts data records," Gemalto vice president and CTO for data protection Jason Hart said in a statement.

"Cyber criminals are still getting away with big and very valuable data sets," Hart added. "For instance, the average healthcare data breach in the first half of 2015 netted more than 450,000 data records, which is an increase of 200 percent compared to the same time last year."