Malware that lay undetected on the PCs at a US college for over a decade has probably allowed criminals as far afield as China, Russia and Iran to steal sensitive data, admins have discovered to their horror.

The scale of the data theft from City College in San Francisco (official motto: 'the truth shall make you free') is not yet known, but the length of time the malware was able to transmit data is giving IT staff cause for concern.

According to the San Francisco Chronicle, the problem only became apparent in November when security monitoring systems detected unusual traffic patterns emanating from one of the college's computer labs.

Closer examination revealed a clutch of malware that was scanning for data on computers attached to the network at the same time each night for up to a decade. In one example this involved sending what was found back to IP addresses associated with the infamous Russian Business network gang whose heyday was at least three years ago.

Widening the search, admins discovered similar problems on 17 different computer systems including servers used for admin, instructional and WiFi with only those holding medical data thought to be in the clear; payroll, admissions and accounting systems are still being analysed.

There is particular concern that students might have infected themselves via USB sticks while using College computers, potentially compromising external PCs used later on. Data at risk in this scenario would include online banking logins.

"We may never know the full extent of the damage, and how many lives have been affected by this," City College CTO David Hotchkiss told the Chronicle. "These viruses are shining a light on years of neglect."

That malware found its way on to computers in an environment such as university or college will surprise nobody. Harder to explain is the length of time a multitude of different pieces of common and certainly old malware was able to transmit data without being detected.

Educational hacks tend to be inside jobs, such as the former University of Central Missouri students who broke into databases and pilfered data on 90,000 people working for or attending the institution.

In 2010, a report from RSA drew attention to the growing number of attacks on universities by outsiders, including one in which criminals impersonated a university server in order to harvest data from students.