The University’s new online sexual assault prevention training for first-years was hacked last month. As a result, the website was taken down Aug. 26, and some first-years have not completed the program, said Ravi Pendse, vice president for Computing and Information Services.
The program, called Agent of Change, experienced a breach in website security that compromised important student data, wrote Russell Carey ’91 MA’06, executive vice president for planning and policy, and Maud Mandel, dean of the College, in a Sept. 4 email to first-years.
Students’ private information such as student identification numbers, email addresses, Agent of Change usernames and passwords, gender identity, race, ethnicity, relationship status, sexual orientation and institution name were vulnerable to the intrusion, according to a Sept. 4 press release by We End Violence, the third-party vendor of Agent of Change.
We End Violence discovered a “potential intrusion” into its website server Aug. 24, according to the press release. Exercising caution, the organization took down the Agent of Change website Aug. 26 and hired web developers to restore the site with enhanced security features. First-years who did not complete the module before Aug. 26 have not had access to the site since.
Agent of Change brought in forensic experts to figure out how the hackers accessed the information, and an investigation is ongoing, Pendse said. We End Violence has not yet gathered any evidence indicating user information has been misused, according to the press release.
“Agent of Change only had direct information that students submitted on the site,” Pendse said. Other information such as students’ social security numbers and bank account numbers are stored with the University and were not accessible to the Agent of Change hacker, he added.
The University remains unsure of when the program will be relaunched, Pendse said. An abnormal increase in phishing has not been noted since the hack, he said.
Carey and Mandel encouraged students who used the same password for both their Brown accounts and their Agent of Change accounts to promptly change their Brown passwords. Students also have the option of using a two-step verification for their Brown email accounts, which requires a password input on their computers as well as their mobile phones, Pendse said.
Several first-years interviewed expressed little worry over their compromised data.
“I didn’t change my password,” said Logan Cody ’19. “I wasn’t worried about it.”
“I got the email, and I disregarded it,” said Max Naftol ’19. “I don’t care as much as I probably should,” he said, adding that he also did not change his password.