Some subtle genius working with an organized crime gang in Russia or China must be up for the Virus Writer's Hall of Fame for "an infestation" of virii that was not only able to scour all the networks of City College of San Francisco for personal banking and financial data, but do it secretly for a dozen years.
The first virus was discovered shortly after Thanksgiving, when an external security monitoring service flagged a single workstation in one computer lab as being infected with a keylogger, which College CTO David Hotchkiss immediately shut down, according to the San Francisco Chronicle.
[ Free download: 68 great ideas for running a security department ]
At least seven viruses or variants of the same virus have infected the college district's administrative, instructional and wireless networks and, probably, any personal computers or flash drives that connected to the network since the infestation began – in 1999.
The viruses are dormant during the day, but activate themselves at night to scour the network looking for personal identity or financial data, which they send to a total of 723 IP addresses in Russia, China, Iran, the U.S. and at least six other countries according to the Associated Press.
Some of the addresses are connected with the Russian Business Network, a criminal organization specializing in theft and resale of personal and financial data, Hotchkiss said.
The Russian Business Network also operated what Symantec calls "the grandaddy of online hosting networks for criminals" until the organization itself broke up in 2008. Individual former members are still collecting stolen data from sites infected with RBM malware years ago, a Symantec spokesperson said.
"We looked in the system and discovered these things were all over the place," John Rizzo, president of the college's Board of Trustees, told the AP.
Colleges and universities are notoriously porous– to the point servers owned by them are often used even by non-student hackers as proxies to hide their origins, storage locations for stolen data and as broadcast facilities for malware mailings.
And that's in addition to hacking done both to and from University systems by hackers-in-training who actually are enrolled in the university.
City College of San Francisco had particularly bad security, according to Hotchkiss, who took over as CTO in July of 2010.
Shortly before Hotchkiss arrived, the IT staff installed a firewall that cut off access to porn sites – until faculty members complained that students needed access to porn sites for research.
Access to the porn sites, and the viruses they often distribute, was returned.
The rest of City College's security wasn't anything to brag about, either. The cash-strapped school rarely had any money to spare for antivirus software, or any other type of security according to IEEE Spectrum.
A set of rigid policies that made it difficult to decide to make changes to security, let alone implement them, made it difficult to adapt security in even the most basic ways.
"When I found out they hadn't changed passwords in over 10 years, I hit the roof," Hotchkiss told the Chronicle.
Even after months of logging and analyzing data from the viruses already identified, Hotchkiss and the City College IT crew are no closer to cleaning out or securing the network.
They're going through the College's 17 computer systems one by one to identify where the infections are and what types of information they had stolen and are preparing to notify, in accordance with state law, everyone whose personal information might have been stolen through City College sites.
Hotchkiss, the City College IT department and external service provider that identified the infection in the first place haven't even identified everyone who might be at risk or identified other potential areas in which the school's systems may have been penetrated.
Right now Hotchkiss and the administration are worried about what other security catastrophes might still be hiding under the surface at City College. Even the most stealthy virus couldn't stay hidden for a dozen years without equally outstanding levels of negligence and carelessness from the virus hunters. With that level of inattention even 12 years worth of uninterrupted virus infection and data theft may be just the tip of the iceberg.