What should I do now?

We strongly recommend you take the following steps to protect your identity and personal information: Change your Bronco password immediately by visiting the Identity Management Services page.

Update any other personal accounts where you may have used the same password.

Be aware of phishing attempts and follow the suggestions on the IT Service Desk’s Phishing page

Never provide a user ID or password in email.

Never reply to emails asking you to send personal or financial information

Expect to receive additional information from the third-party vendor, We End Violence, which provided the Agent of Change training.

Back to top

How did this happen?

There was an unauthorized intrusion into the network of the third-party vendor, We End Violence. The vendor supplied “Agent of Change” sexual assault prevention training class to our campus.

Back to top

What is a data breach?

A data breach is an incident in which an unauthorized individual gains access to private information on a computer network.

Back to top

Did the intrusion affect the university’s data network?

No. The intrusion occurred only on the network of the third-party vendor, We End Violence, which provided the Agent of Change training.

Back to top

Has my identity been stolen?

No Social Security numbers, driver’s licenses or credit card information was compromised. The data involved is: Student name, Bronco ID, email address, the Agent of Change user ID (set by the student), and the Agent of Change password (set by the student). In addition, there was an optional survey that asked questions about students’ characteristics.

Back to top

Do they have access to my Social Security number?

No. Social Security numbers were not used in the sign-up process for Agent of Change. However, if you used the same password for Agent of Change as you use on other personal accounts, those accounts could be vulnerable. We recommend you change the passwords on those accounts as well.

Back to top

What is a phishing attempt?

Phishing is an attempt to acquire sensitive personal or financial information, such as user names, passwords and credit card information, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. For more information about phishing, visit our Phishing page.

Back to top

Should I expect more phishing scams now?

We always advise our students to be vigilant against phishing scams, which can be attempted even when there has not been a data breach.

Back to top

Who was affected?

The breach has affected seven CSU campuses At Cal Poly Pomona, the number of students who may have been affected is 19,658.

Back to top

What is Agent of Change?

Agent of Change is the name of a sexual assault prevention training class provided by a third-party vendor, We End Violence. Sexual assault prevention training was required by state law for all students enrolled in spring quarter 2015.

Back to top

What is We End Violence?

We End Violence is the third-party vendor contracted with the CSU to provide the sexual assault prevention class. The name of their class is Agent of Change.

Back to top

What is being done to fix the problem?

Cal Poly Pomona is working with the Information Security Office at the Office of the CSU Chancellor and the vendor to ensure this matter is resolved as swiftly as possible. We are asking students who signed up for the Agent of Change course to change their password immediately by visiting the Identity Management Services page. Passwords that have not been changed will expire after 90 days.

Back to top

Will this affect my registration?

No. This will have no effect on your registration.

Back to top

Do I need a new Bronco ID?

You do not need a new Bronco ID. Changing your Bronco password will ensure your student accounts are secured.

Back to top

When did you find out about this?

The CSU was informed about a possible breach on Friday, Aug. 28.

Back to top

Why am I finding out about this a week later?

Cal Poly Pomona worked to notify students as quickly as possible. Due to the size of the breach and because it happened on the network of a third-party vendor, the university needed to first investigate and determine who was affected.

Back to top

Are you ever going to use this company again?

No. Cal Poly Pomona has switched to another provider of sexual assault prevention training for future classes.

Back to top

Will I have to take the training again with the new company?

If you already completed your training through Agent of Change during spring quarter, you will not be required to retake it this year.

Back to top