[ISN] Major breach of UCLA's computer files

From: InfoSec News (alerts@private)
Date: Tue Dec 12 2006 - 22:00:35 PST


http://www.latimes.com/news/local/la-me-ucla12dec12,0,3028487,full.story?coll=la-home-headlines

By Rebecca Trounson
Times Staff Writer
December 12, 2006

In what appears to be one of the largest computer security breaches ever 
at an American university, one or more hackers have gained access to a 
UCLA database containing personal information on about 800,000 of the 
university's current and former students, faculty and staff members, 
among others.

UCLA officials said the attack on a central campus database exposed 
records containing the names, Social Security numbers and birth dates 
the key elements of identity theft for at least some of those affected. 
The attempts to break into the database began in October 2005 and ended 
Nov. 21, when the suspicious activity was detected and blocked, the 
officials said.

In a letter scheduled to be sent today to potential victims of the 
breach, acting Chancellor Norman Abrams said that although some Social 
Security numbers were obtained by the hackers, the university had no 
evidence that any of the information had been misused.

"We take our responsibility to safeguard personal information very 
seriously," Abrams said in the letter, which was scheduled to be mailed 
or e-mailed overnight to those whose records were compromised. "My 
primary concern is to make sure this does not happen again" and to 
provide information to try to minimize the risk of identity theft for 
those affected, he said.

Abrams urged those whose records might have been accessed to monitor 
their consumer credit files and consider fraud alerts and other 
precautions.

The UCLA incident is the latest in a series of computer security 
breaches affecting private organizations, financial institutions, 
government agencies and other large employers. Partly because of their 
tradition of openness, universities are proving to be a favorite and 
often vulnerable target, several experts in the field said Monday.

"Universities tend to have a lot of information floating around in a lot 
of different places," said Jay Foley, executive director of the Identity 
Theft Resource Center, a San Diego-based nonprofit. "They are places we 
send our children to share ideas, and it's hard to mix the open sharing 
of ideas with the need to tighten down on security."

In 2003, for example, a hacker at San Diego State used an outdated 
computer network in the drama department to find a way into the 
financial aid system. The Social Security numbers of more than 200,000 
people were exposed.

Foley and others interviewed said that although there was no evidence of 
any fraudulent or illegal use of the information, the UCLA breach, in 
the sheer number of people affected, appeared to be among the largest at 
an American college or university.

"To my knowledge, it's absolutely one of the largest," said Rodney 
Petersen, security task force coordinator for Educause, a nonprofit 
higher education association that focuses on technology issues. He said 
most problems at universities have involved breaches of departmental or 
other, smaller databases.

Comprehensive statistics on computer break-ins at colleges do not exist. 
But in the first six months of this year alone, there were at least 29 
security failures at colleges nationwide, jeopardizing the records of 
845,000 people. Both private and public institutions have been hit. In 
2005, a database at USC was hacked, exposing the records of 270,000 
individuals.

Petersen said that in a survey released by Educause in October, about a 
quarter of 400 colleges said that over the previous 12 months, they had 
experienced a security incident in which confidential information was 
compromised.

At UCLA, officials said Monday that the targeted database included 
records for the university's current and former students, faculty and 
staff, in some cases dating to the early 1990s. Others potentially 
affected included some applicants during the last five years who did not 
enroll at the university, as well as some parents of students or 
applicants who had applied for financial aid.

About 3,200 of those being notified are current or former staff and 
faculty of UC Merced and current or former staff of UC's Oakland 
headquarters. UCLA handles administrative processing for both groups.

Besides names, Social Security numbers and birth dates of those 
affected, the database includes home addresses and contact information, 
officials said. It does not contain driver's license numbers or credit 
card or banking information.

Jim Davis, UCLA's associate vice chancellor for information technology, 
described the attack as sophisticated, saying it used a program designed 
to exploit a flaw in a single software application among the many 
hundreds used throughout the Westwood campus.

"An attacker found one small vulnerability and was able to exploit it, 
and then cover their tracks," Davis said.

He said the problem was spotted when computer security technicians 
noticed an unusually high number of suspicious queries to the database. 
It took several days for investigators to be sure that it was an attack 
and to learn that Social Security numbers were the target, he said.

Davis said the investigation was continuing, but that university 
officials had decided to notify potential victims now.

"UCLA and its community are the victims of this, and despite the great 
deal of effort we put into security, this really is a breach of trust 
with our community," he said. "Given that we saw intent in this, we 
needed to let people know."

UCLA has established a website to provide information and answer 
questions about the incident at http://www.identityalert.ucla.eduand a 
toll-free call center, (877) 533-8082.

Laura Eimiller, spokeswoman for the FBI's Los Angeles office, said the 
agency was investigating the breach, but said she could not comment 
further.

rebecca.trounson (at) latimes.com


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Dec 12 2006 - 22:03:50 PST