Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called "an infestation" of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned.

At work for more than a decade, the viruses were detected a few days after Thanksgiving, when the college's data security monitoring service detected an unusual pattern of computer traffic, flagging trouble.

It appeared at first that the problem was contained in a single computer lab at Cloud Hall on the Phelan Avenue campus, one of a dozen City College sites around the city. David Hotchkiss, the chief technology officer, immediately shut the lab down and reported the problem to Chancellor Don Griffin, General Counsel Scott Dickey and Board of Trustees President John Rizzo.

But a closer look revealed a far more nefarious situation, which had been lurking within the college's electronic systems since 1999. For now, it's still going on. So far, no cases of identify theft have been linked to the breach. That may change as the investigation continues, and college officials said they might need to bring in the FBI.

The college's payroll, admissions and accounting systems have yet to be analyzed for the viruses.

"We have to move as quickly as possible," Griffin said. "We don't know yet, but it doesn't mean there hasn't been a serious infection there, as well."

They troll at night

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Some of the stolen data is probably innocuous, such as lesson plans. But an analysis shows that students and faculty have used college computers to do their banking, and the viruses have grabbed the information, Hotchkiss said.

Although the extent of what has been transmitted is not yet clear, Hotchkiss said the server with medical information for students and employees appears to be virus-free.

"We may never know the full extent of the damage, and how many lives have been affected by this," Hotchkiss told three college trustees Thursday evening who met to discuss school buildings and technology issues. "These viruses are shining a light on years of (security) neglect."

State law requires that cyber victims be notified when personal information has been stolen, and college officials are trying to determine who needs to be told. The college is analyzing 17 computer systems thought to be at risk.

Russian addresses

Since Nov. 28, college officials have traced at least 723 Internet protocol addresses to the Russian Business Network, "a notorious gang in the business of stealing and selling personal information," Hotchkiss said.

Once known as "the granddaddy of online hosting networks for criminals," the Russian Business Network disbanded around 2008, according to computer security company Symantec of Mountain View. But criminals are still collecting the data - and American college students are often prime victims.

"Unfortunately, penetration into higher education is not uncommon," said Tim Matthews of Symantec's data loss prevention team. "A lot of criminals see students as investments in the future - people with clean credit records who, if they get a college degree, will be high income and a good identity to steal."

He said the criminals often hold onto the information for years as it becomes more valuable.

Nearly 1 in 5 cyber security breaches are connected to higher education, Matthews said.

Little protection

Places like City College of San Francisco, where officials have done little to protect against cyber attacks over the years, are especially vulnerable, Hotchkiss said. He arrived at City College in July 2010, and was astonished to learn how porous its computer systems have been.

"When I found out they hadn't changed passwords in over 10 years, I hit the roof," said the tech expert, who ordered them all changed last summer.

But cash-strapped City College has worse vulnerabilities than that, he said. They include poor network design and old equipment, a "draconian system" for agreeing on new policies - including urgent security issues - and little money for new, virus-resistant technology.

Some college leaders also suffer bouts of technophobia, he said, leading to lax attention to the need for cyber security. Hotchkiss' efforts to secure City College's computer systems have also run up against a competing need: academic freedom.

Shortly before Hotchkiss arrived at City College, a new firewall was installed. Technicians set it up to block pornography sites, which are notorious for transmitting computer viruses.

Then faculty began complaining to Hotchkiss that students needed access to porn sites. For research.

Eventually, given examples of the academic necessity, Hotchkiss had to remove the porn block.

He eventually hired a data security service, USDN of San Francisco, which detected the virus problem.

On Thursday evening, Trustees John Rizzo, Chris Jackson and Jeffrey Fang listened to Hotchkiss and USDN Network Security chief scientist Anthony Castillo describe how they may be looking at only the tip of the problem.

They talked about hundreds of thousands of dollars spent over the last 10 years on consultants who failed to secure the systems and learned that they lack even basic virus protections.

"Given the outright mismanagement of our networks, if someone's information is stolen, are we liable for that?" Jackson asked.

No one had an answer.