The Queens College website was offline during the first few weeks of the spring 2025 semester, leaving students, faculty, and staff without access to essential resources.
On Jan. 27th — the first Monday of the Spring term — QC’s web server was shut down due to significant cybersecurity threats identified by the CUNY Central Office and QC’s Information Technology Services (ITS). On Feb. 11th, the QC website came back online, but numerous pages remained unavailable or experienced glitches. During this period, the QC administration and ITS failed to provide the wider college community with timely communications on the status of the website.
Although a Linktree with links to academic support, student services, the CUNY academic calendar, and other resources was sent to students on Jan. 27th, the college’s failure to provide a functional website still left students without access to important resources. Students were left without access to essential information on academic departments, including department room numbers, phone numbers, and emails–as well as major declaration forms and information necessary for swapping or adding classes, with possible implications on a student’s tuition, financial status, potential holds, and enrollment.
Despite this, the college has not extended any deadlines for students unable to access vital resources.
At the Feb. 13th Academic Senate meeting, QC Chief Information Officer & Assistant Vice President Troy Hahn, provided a brief explanation of the problem with the QC website, Hahn stated:
“There was a security incident at one of the other colleges within CUNY and the Central Office has started taking a way harder hand on how they’re dealing with issues that are, either, let’s say, small infractions, all the way up to very, very large ones, and the protection of the university as a whole. At that moment, the college website was running on an older version of Linux and an Apache protocol that we were not able to patch quickly enough, and we were summarily blocked with it under the guidance of security.”
Hahn has provided a timeline of the events leading up to the QC server shutdown in a statement given to The Knight News as well as in comments he made at the Feb. 13th Academic Senate meeting. Some of the key events in the timeline are:
— October 2023 to November 2024: QC begins to lay the groundwork for enhancing its cyber security infrastructure and agrees with the CUNY Central IT team to migrate its server infrastructure to a cloud environment over the Spring 2025 semester.
— Dec. 23rd, 2024: A flood at the Kiely Hall Data Center causes the website server to crash. The college resorts to using old hardware that was out of compliance.
— Jan. 2nd, 2025: All of the CUNY Chief Information Officers (CIOs) convene for an emergency cybersecurity meeting to discuss risk mitigation and immediate security upgrades.
— Jan. 7th: CUNY Council of Presidents are briefed on significant cybersecurity issues.
— Jan. 8th – 10th: CUNY blocks multiple QC websites without prior notice, including The Barry Commoner Center, QC Library, and several servers from computer science due to critical security concerns
— Jan. 22nd: ITS sends a message to the College Community announcing that the website is temporarily down.
— Jan. 27th: QC server shuts down.
At the Feb. 13th Academic Senate meeting, Hahn indicated that the shutdown of the QC web server, as well as the prior outages of the Barry Commoner Center and QC Library, were blocked by CUNY Central without first informing QC ITS.
While Hahn agreed with the actions taken by CUNY, he disagreed with the way that these actions were executed.
“I do disagree, and I have mentioned this several times in application, along with President Wu, we disagree with the execution,” Hahn told the Academic Senate. “We were not told that the website was gonna be blocked. We were not told that the library site was gonna be blocked, as well as many of the other college environments, many other departments as well, have challenges with this, such as the Barry Commoner Center, as well as Computer Science, has suffered some of this.”
However, QC ITS did not immediately inform the wider college community upon the QC web server shutdown on Jan. 27th.
On the same day, QC President Frank Wu sent out an email welcoming students, faculty, and staff to QC, which included several links to the QC website without acknowledging its shutdown. The first mass email communication on the subject came from Hahn on Jan. 29th despite the fact that Wu and members of QC administration had been aware of the problem earlier.
According to a message acquired by The Knight News, which was sent by Hahn to the QC President’s Council and the Personnel & Budget Committee (P&B) on Jan. 27th, President Wu requested that Hahn update the President’s Council and the P&B on the problems with the website server. In that message, Hahn provided a timeline for the website’s restoration process stating, “we’ve prioritized migrating this website server into a cloud environment to ensure rapid implementation. It is anticipated we will be around 80% complete within three weeks.”
However, Hahn’s Jan. 29th mass communication to students, faculty and staff failed to provide a timeline, and from Jan. 29th to Feb. 11th, no communication was provided to the wider QC community on the status of the QC website.
Neither President Wu nor Hahn commented on why the college community was not immediately notified about the website when asked by The Knight News.
The Knight News also reached out to QC Provost Patricia Price for a request for comment on whether the college will acknowledge the consequences of the website’s absence for students, faculty, and staff and if she anticipates that the lack of a website will lead to a decrease in enrollment. However, Price did not respond to The Knight News request for comment.
Prior to January, the question of QC cybersecurity vulnerabilities came up at an Academic Senate meeting on Oct. 10th, 2024.
“I do want to mention something, and I know not everyone is enthusiastic sometimes about some of the things we have to do, but we are making an effort to address rogue servers,” President Wu said at the Senate meeting.
“And we were recently — and I know there are some deans who are part of this — contacted by the United States Army because they were afraid of a possible breach of their data, which we were privy to, and they weren’t kidding around. And when folks in the military who have guns contact me to say, you need to be fixing a problem, because we feel vulnerable. If they feel vulnerable, there’s really an issue. So we will be addressing rogue servers throughout the campus.”
President Wu did not respond to The Knight News request for comment on whether the website shut down was related to the Army’s concerns and why action was not taken earlier to address these threats.
