Stanislaus State officials believe they've found source of ID theft

TURLOCK -- It was like any other day when Phillip Cuaresma went to pay some bills online, except this time his bank account was missing $1,000. His statement showed purchases made in Mexico, which he hasn't visited since 2005.

Dozens of California State University, Stanislaus, students, staff and visitors have reported fraudulent uses of their bank or credit cards in the past three months, according to Steve Jaureguy, chief of the University Police Department. Officials estimate thousands of dollars have been stolen.

After receiving reports of the suspicious purchases in November, university police joined with the county's High-Tech Crime Task Force to track down the breach.

Officials said they have narrowed it to an unsecure computer server owned by food services vendor Sodexho, Jaureguy said. Sodexho officials deny that claim.

Until the server is secure, university officials are not allowing bank or credit card purchases at food service locations, which forces customers to use cash. Several thousand students and staff will flood campus when the spring semester starts Wednesday. Officials had no timeline for when credit and debit cards would again be accepted.

Sodexho has provided food services at the university for 40 years. Campus dining averages 2,500 customers, and 300 to 400 charge transactions a day.

Police have no suspects but are investigating everything, including possible hackers or employees stealing the information, Jaureguy said.

There are two ATMs on campus, one in the student union and one in the administration building; both are next to the cafeteria.

On Jan. 11, university officials announced bank and credit card numbers, expiration dates and cardholder names of thousands of students, staff and visitors were compromised and that some information was illegally used. A campuswide e-mail went out that day, but only to university addresses, not personal e-mail accounts, so most students did not receive word, upsetting many of them. Messages were posted at dorms and on buildings across the campus, officials said.

Anyone who purchased food at the main dining hall, Mom's coffee shop and Pop's convenience store in the past six months is vulnerable. Sodexho stores transaction data for 180 days in the event a customer disputes a charge, a company spokesman said.

University police say it appears the card numbers are being sold to people outside of the area, because victims have reported fake purchases in Mexico, Canada and New Orleans.

Cuaresma noticed his charges in December.

"I told my friends I went Christmas shopping in Mexico without even knowing it," said the 45-year-old, who is pursuing a master's degree in social work.

Cuaresma was able to move money from a savings account into his checking account to cover bills and his mortgage and was reimbursed by his bank within a week.

Others weren't so fortunate.

Many students live month to month and didn't have extra money to cover their bills while waiting for reimbursements.

This is the third time Cuaresma's personal information has been made public through the university. His information was accidentally sent out in a public e-mail and was stored on a Google server, both within the past three years, he said.

Despite the interruptions and identity theft, Cuaresma said he's not going to stop using his bank and credit cards.

"Security is never perfect. It's a game. Businesses have a new level of security ready to roll out when the bad guys figure out how to beat your old one," said Cuaresma, a self-described "techno geek." "Ultimately, I got my money back. It's still safer than carrying cash."

Security-specific contracts

University officials said they are working on amending contracts to include specific language requiring a certain level of computer server and network security.

A Sodexho spokesman confirmed the company has information technology workers on campus but said it had nothing to do with the ID theft and that the work is part of normal maintenance.

Only one other vendor accepts credit and bank cards at Stanislaus State -- Barnes & Noble College Booksellers.

Major credit card companies formed the Payment Card Industry Security Standards Council in 2006 to provide security compliance and validation measures for businesses. Barnes & Noble has shown compliance with PCI standards, and university officials said they hope Sodexho will do the same soon.

"Because there were no specific standards published on how to certify or verify that things are secure, we relied on the vendor. We were told they were secure," said Clyta Polhemus, commercial operations manager for the university's auxiliary and business services.

Stanislaus State Information Technology officials scan university servers and networks to ensure security on a monthly, sometimes daily, basis, said Carl Whitman, chief information officer. But this does not include vendors' servers and networks.

"Our network is not perfect," Whitman said. "There's always something new somebody creates, they're always a step ahead. But we try to be real close to them."

University security includes encryption software, firewalls that block access, anti-virus scans and intrusion detection, Whitman said.

IT workers catch scams that target the university about once a month, he said. Unauthorized users of system networks pop up every day.

"It's what people do," he said. "It's their hobby."

Anyone who has used a bank or credit card at a campus dining facility in the past six months is encouraged to review bank or credit statements for fake purchases. He or she also can call University Police at 667-3114 or visit the California Office of Privacy Protection's Web site at www.privacy.ca.gov.

Bee staff writer Michelle Hatfield can be reached at mhatfield@modbee.com or 578-2339.

Related stories from Modesto Bee