In October 2025, SDSU became aware of the theft of funds from a university department, according to a campuswide email sent to students, faculty and staff on Feb. 19.

The email stated that upon discovering the fraudulent activity, the university reported the matter to law enforcement and took immediate action to recover the funds from a third party. 

According to CBS 8, documents show SDSU wired $5.9 million to a fake business. With assistance from the FBI, most of the funds were recovered, but approximately $500,000 remains missing. 

University officials have said the incident did not involve a breach or disclosure of protected data, including student, faculty or staff financial or personal information. 

The university confirmed that more than 90% of the funds have been recovered. 

As this is an ongoing investigation, university officials did not disclose the specific department involved or the administrative level at which the funds were accessed.  

The campuswide email outlined measures the university uses to prevent and respond to cyber threats. These include multi-factor authentication, secure network access through a virtual private network and password management tools. 

SDSU also utilizes a layered email security platform designed to mitigate phishing, malware, business email compromise and domain spoofing risks.

SDSU stated that it maintains continuous system monitoring, performs regular software updates and follows established security standards and incident response protocols.

University officials encourage the campus community to report suspicious activity as this investigation continues.