Creative Commons
An unidentified hacker exposed Chico State students’ vaccination status and other personal information. The students had applied for religious exemptions to the school’s vaccine requirement.
COVID-19 vaccination requirements have opened up a Pandora’s box of new cybersecurity challenges for colleges and universities, which are already some of the most tempting targets for extortion. But what if a hacker is not motivated by money or bragging rights? And what is a university ultimately to do about the unvaccinated?
On August 15, the names of dozens of unvaccinated California State University, Chico students who claimed religious exemptions were posted on an anonymous internet message board. The published spreadsheet contained information for some of the students, including emails, detailed reasons for requests, and the status of the cases. About half of the requests were approved, according to the Sacramento Bee report. Another 20 requests needed further information, while some of the students who were denied an exemption were given a second chance to make a request.
The university did not know about the breach until contacted by the newspaper on Monday. (The students were notified on Tuesday.) The hacker did not demand a ransom. The university has provided little information other than saying that it has an unspecified lead in the case, and that the school is taking “proactive steps to protect students’ confidential information.”
Most hackers that have attacked universities have been interested in getting access to specific research or extorting a hefty ransom. In 2020, 26 colleges and universities were targeted with ransom threats. Three of those universities were conducting COVID-19 research: the University of California San Francisco (UCSF), Michigan State University, and Columbia College Chicago. UCSF alone paid a $1.4 million ransom.
In 2020, 26 colleges and universities were targeted with ransom threats. Three of those universities were conducting COVID-19 research.
Universities, like government agencies, store a mother lode of sensitive information about individuals, including Social Security numbers, credit histories, and other financial information. The release of this type of information is one threat that hackers have used to convince universities to pay up. Last year, the University of Utah’s information security office used backups to restore local systems and services after a breach. However, once the hackers threatened to publish student and employee information, the university paid a nearly $460,000 ransom. (The university noted that it based its decision to pay on the nature of the attack and the attackers.) No data was released and the school did not detail the type of data involved.
At Chico State, the hacker may have been a tipster for students seeking to avoid the mandate: The individual posted suggestions like “State purely religious reasons only” and “Do not mention anything else.”
By publishing personal information, without a ransom demand or a further attempt to gain access to other sensitive student information, the hacker or hackers also may have been interested in doxxing the people making the religious exemption requests. “It singles me out,” one Chico State student told the Bee. Moreover, the fact that the university apparently did not find out about the breach until a reporter came calling warrants a very serious assessment of its security measures.
During the pandemic, religious exemptions in education have come under greater scrutiny. Faith leaders have sought to clear up the confusion and have offered specific pronouncements about vaccines. Catholic colleges and universities have not allowed students or employees to claim religious exemptions at all, following a directive from the Vatican.
In the K-12 arena, 44 states allow exemptions for religious reasons. In 2015, California eliminated religious and other nonmedical exemptions for K-12 students. Dorit Rubinstein Reiss, a professor at UC Hastings College of the Law, told the Los Angeles Times that K-12 education is a right, unlike higher education.
The vast majority of Chico State’s 16,630 students have been vaccinated; 7 percent have requested a medical or religious exemption or have documented that they do not plan to come to campus. Some students have expressed reservations about the late-September vaccination deadline and the presence of unvaccinated people on campus.
Whether COVID-19 prompts more data breaches, vaccine dodges, and doxxing on other campuses may depend on the speed at which colleges and universities decide how they plan to deal with unvaccinated students and whatever exemptions they request. And just because this doxxing exposed those requesting to remain unvaccinated doesn’t mean that future events won’t do the reverse, exposing those who received the vaccine.
Some campuses, like the University of Idaho, only recommend vaccination and do not track student vaccination status. Many others have mandated vaccination. The University of Virginia has already “disenrolled” more than 200 students who have not gotten a shot; they can come back if they change their minds by a certain deadline. Quinnipiac University has come up with stiff fines and losing access to Wi-Fi and other internet connections.
Once upon a time in human history, vaccines were developments to be cheered rather than infringements to be shouldered or circumvented. Instead, the politicization of the production of a reliable and safe vaccine in a fraction of the normal time has pitted angry camps of people shouting about freedoms against angrier people screaming about avoiding debilitating sickness or death. Professions of religious faith merely add to the confusion in the very spaces where there should be no doubt about what works and saves lives.