Attachment 18B
February 23, 2012 Dear Current and Former CCSF Students and Employees, This letter is sent to you per California State Civil Code 1798.82 and 1798.29 relative to personal information privacy and serves as notification in accordance with the said code. On Monday, November 29, 2011 City College of San Francisco’s (CCSF) Information Technology Department discovered several malicious viruses on a server and computers in a computer class room in Cloud Hall. At least one of the malicious viruses is capable of taking screen shots from a computer monitor and capable of logging keyboard key strokes was found on a computer. The College took immediate steps to remove the server from service and with help from an outside network security company, began to evaluate the pervasiveness of the viruses’ propagation. It was also discovered that the viruses had spread to the College’s instructional and administrative networks infecting many of the servers and computers on the College network. Evaluation of the viruses found that personally identifiable information may have been taken and transmitted to various entities external to the College. It was also indicated that the some of the viruses had been resident on servers and computers for up to ten years. While these malicious viruses were found on the College networks, it appears that none of the District’s databases were compromised as of the time of this writing. The personal data that may have been taken is believed to be only data which may have been captured when an individual used a CCSF computer for financial and other personal transactions. The Federal Bureau of Investigation (FBI) was notified. On January 27, 2012 the FBI’s Cyber Crime Unit subsequently notified the College that there is currently an ongoing criminal investigation relative to viruses based on a criminal case in US District Court. The FBI investigation spans over 4.2 million computers and 32,000 networks worldwide. The CCSF networks are included in them. The FBI informs us that the malicious software directs infected computers to DNS servers throughout the United States used to collect personal identifiable information. Technicians within the CCSF Technology Department are working on cleaning all infected servers and computers. They are also putting in place new security processes in an effort to contain the current and block future attacks. While we have no indication that anyone actually used any of this information, I want to bring this situation to your attention so that you are aware of the actions you can take to minimize any potential risk of identity theft. As a precaution, you may wish to consider placing a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. This procedure is described on a separate attachment included with this letter. Information also is available on a website we have established: http://www.ccsf.edu/securityalert. The web site includes further suggestions for monitoring your credit and links to state and federal resources. Finally, we have established a number to help answer any additional questions you may have at 415-XXX-XXXX. We have a responsibility to safeguard personal information, and all members of the College's workforce take this obligation very seriously. We have worked hard during the past few years to reduce the amount of personal information used for any academic or business reasons to the absolute minimum and we will continue to do so. I deeply regret any concern or inconvenience this incident may cause you. Sincerely,
Dr. Don Q. Griffin Chancellor