Major breach of UCLA's computer files
THE STATE Major breach of UCLA's computer files Personal information on 800,000 students, alumni and others is exposed. Attacks lasted a year, the school says. By Rebecca Trounson Times Staff Writer December 12, 2006 In what appears to be one of the largest computer security breaches ever at an American university, one or more hackers have gained access to a UCLA database containing personal information on about 800,000 of the university's current and former students, faculty and staff members, among others. UCLA officials said the attack on a central campus database exposed records containing the names, Social Security numbers and birth dates - the key elements of identity theft - for at least some of those affected. The attempts to break into the database began in October 2005 and ended Nov. 21, when the suspicious activity was detected and blocked, the officials said. In a letter scheduled to be sent today to potential victims of the breach, acting Chancellor Norman Abrams said that although some Social Security numbers were obtained by the hackers, the university had no evidence that any of the information had been misused. "We take our responsibility to safeguard personal information very seriously," Abrams said in the letter, which was scheduled to be mailed or e-mailed overnight to those whose records were compromised. "My primary concern is to make sure this does not happen again" and to provide information to try to minimize the risk of identity theft for those affected, he said. Abrams urged those whose records might have been accessed to monitor their consumer credit files and consider fraud alerts and other precautions. The UCLA incident is the latest in a series of computer security breaches affecting private organizations, financial institutions, government agencies and other large employers. Partly because of their tradition of openness, universities are proving to be a favorite - and often vulnerable - target, several experts in the field said Monday. "Universities tend to have a lot of information floating around in a lot of different places," said Jay Foley, executive director of the Identity Theft Resource Center, a San Diego-based nonprofit. "They are places we send our children to share ideas, and it's hard to mix the open sharing of ideas with the need to tighten down on security." In 2003, for example, a hacker at San Diego State used an outdated computer network in the drama department to find a way into the financial aid system. The Social Security numbers of more than 200,000 people were exposed. Foley and others interviewed said that although there was no evidence of any fraudulent or illegal use of the information, the UCLA breach, in the sheer number of people affected, appeared to be among the largest at an American college or university. "To my knowledge, it's absolutely one of the largest," said Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association that focuses on technology issues. He said most problems at universities have involved breaches of departmental or other, smaller databases. Comprehensive statistics on computer break-ins at colleges do not exist. But in the first six months of this year alone, there were at least 29 security failures at colleges nationwide, jeopardizing the records of 845,000 people. Both private and public institutions have been hit. In 2005, a database at USC was hacked, exposing the records of 270,000 individuals. Petersen said that in a survey released by Educause in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised. At UCLA, officials said Monday that the targeted database included records for the university's current and former students, faculty and staff, in some cases dating to the early 1990s. Others potentially affected included some applicants during the last five years who did not enroll at the university, as well as some parents of students or applicants who had applied for financial aid. About 3,200 of those being notified are current or former staff and faculty of UC Merced and current or former staff of UC's Oakland headquarters. UCLA handles administrative processing for both groups. Besides names, Social Security numbers and birth dates of those affected, the database includes home addresses and contact information, officials said. It does not contain driver's license numbers or credit card or banking information. Jim Davis, UCLA's associate vice chancellor for information technology, described the attack as sophisticated, saying it used a program designed to exploit a flaw in a single software application among the many hundreds used throughout the Westwood campus. "An attacker found one small vulnerability and was able to exploit it, and then cover their tracks," Davis said. He said the problem was spotted when computer security technicians noticed an unusually high number of suspicious queries to the database. It took several days for investigators to be sure that it was an attack and to learn that Social Security numbers were the target, he said. Davis said the investigation was continuing, but that university officials had decided to notify potential victims now. "UCLA and its community are the victims of this, and despite the great deal of effort we put into security, this really is a breach of trust with our community," he said. "Given that we saw intent in this, we needed to let people know." UCLA has established a website to provide information and answer questions about the incident at http://www.identityalert.ucla.eduand a toll-free call center, (877) 533-8082. Laura Eimiller, spokeswoman for the FBI's Los Angeles office, said the agency was investigating the breach, but said she could not comment further. * ---------------------------------------------------------------------------- ---- [EMAIL PROTECTED] * (INFOBOX BELOW) Hacked files Here are some large computer security breaches involving public agencies and U.S. companies: CardSystems Solutions Inc. Disclosed: June 2005 Number of records: 40 million How: Hackers infiltrated computers at a credit card processing center. -- U.S. Department of Veterans Affairs Disclosed: May 2006 Number of records: 26.5 million How: A burglar stole electronic data on veterans from the home of a federal employee. -- Citigroup Disclosed: June 2005 Number of records: 3.9 million How: United Parcel Service lost computer tapes containing account and payment history data. -- DSW Shoe Warehouse Disclosed: April 2005 Number of records: 1.4 million How: Hackers accessed a database of customers and credit card numbers. -- Bank of America Disclosed: February 2005 Number of records: 1.2 million How: The company lost computer tapes containing personal information for credit cards used by federal employees. -- Ohio Secretary of State Disclosed: April 2006 Number of records: "Millions" How: The office distributed 20 copies of registered voter lists that accidentally included Social Security numbers. Times research by Scott Wilson http://www.latimes.com/news/local/la-me-ucla12dec12,0,2034010,print.story _____ FAIR USE NOTICE: All original content and/or articles and graphics in this message are copyrighted, unless specifically noted otherwise. All rights to these copyrighted items are reserved. Articles and graphics have been placed within for educational and discussion purposes only, in compliance with "Fair Use" criteria established in Section 107 of the Copyright Act of 1976. The principle of "Fair Use" was established as law by Section 107 of The Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain permission or pay royalties for the use of previously copyrighted materials if the purposes of display include "criticism, comment, news reporting, teaching, scholarship, and research." Section 107 establishes four criteria for determining whether the use of a work in any particular case qualifies as a "fair use". A work used does not necessarily have to satisfy all four criteria to qualify as an instance of "fair use". Rather, "fair use" is determined by the overall extent to which the cited work does or does not substantially satisfy the criteria in their totality. If you wish to use copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: < <http://www.law.cornell.edu/uscode/17/107.shtml> http://www.law.cornell.edu/uscode/17/107.shtml> THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS. [Non-text portions of this message have been removed] -------------------------- Want to discuss this topic? Head on over to our discussion list, [EMAIL PROTECTED] -------------------------- Brooks Isoldi, editor [EMAIL PROTECTED] http://www.intellnet.org Post message: osint@yahoogroups.com Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/osint/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/