As reported by the San Francisco Examiner, in 2014, ethical hacker Bryan Seely was investigating a liability in Oracle software used by government entities when he came across a similar issue at San Francisco State University (SFSU). Per the deposition given by Seely earlier this month, a fatal server flaw made confidential student information potentially accessible to hackers.
“This discovery and this vulnerability show that the entire system could be compromised by somebody who had the ability, or didn’t care about the ethics of it or going to jail,” said Seely.
At the time, he notified K. Mignon Hoffman, an information security officer at SFSU, of his findings.
Bob Moulton was SFSU’s then-Interim Chief Information Officer. “The Oracle vulnerability we have been working on has gotten worse,” a concerned Moulton wrote in a September 2014 email. “Unauthorized code has been installed on five servers.”
While investigating Seely’s claims, Hoffman found evidence suggesting that Russian hackers gained access to a university server via a Remote Access Trojan (RAT). Hoffman claims to have traced the RAT to a Russian IP address. In a November 2014 correspondence with SFSU president Leslie Wong, Hoffman wrote, “We identified a tunnel going back to Russia (yes, sounds like a movie, and we are in it…).”
“We don’t yet know how developed the code is nor its objective,” Hoffman added.
On January 14, 2015, Hoffman was fired by the university. Hoffman is now embroiled in a whistleblower retaliation lawsuit against the…