[ISN] They got her number

From: InfoSec News (alerts@private)
Date: Mon Jan 08 2007 - 01:07:36 PST


The Orange County Register
January 7, 2007

LAGUNA NIGUEL -- Lee Steidel was a bit mystified when she got four new 
credit cards in the mail, but she figured with the holidays coming up, 
maybe she could use them.

A few days later she got the statements at her home in Laguna Niguel. 
Someone had stolen her identity and charged $8,000 on cards in her name.

To add insult to injury, the thieves signed up for "credit protection" 
on a Macy's card and donated $25 to charity.

Steidel began the long, tedious process of reporting the thefts and 
repairing her credit, without any idea of how they could have happened.

On Dec. 12, she was among 800,000 people notified that their personal 
information could have been stolen from a database at UCLA in the past 

It was the largest campus security breach in history. Thieves had hacked 
into UCLA's huge database and mined Social Security numbers for months 
without detection.

"I can't prove my identity was stolen from this UCLA break-in, but it 
certainly is quite a coincidence," said Steidel, a real estate appraiser 
who took a UCLA extension class in Westwood last summer.

UCLA spokesman Phil Hampton said the university is unsure how many 
people's Social Security numbers were stolen but that it was probably 
"in the 5 percent range" of the 800,000 people in the database.

That would be 40,000 people.

The hacker was able to exploit a previously unknown vulnerability in 
UCLA's security system to access the database with names, Social 
Security numbers, birth dates, home addresses and contact information.

The database had information about current and former students, faculty 
and staff members, some student applicants and some parents or students 
who applied for financial aid. Some UC Merced and Office of the 
President staff members also were affected.

According to UCLA, the security breach was found Nov. 21 when 
technicians noticed unusual activity.

"This was a sophisticated hacker who was able to cover his or her tracks 
very well, access the database and bypass our diligent security 
measures," Hampton said.

The FBI is investigating the break-in, he said.

"We are encouraging people who believe they are victims to file reports 
with the FBI or local law enforcement," Hampton said.

UCLA set up a Web site, www.identityalert.ucla.edu, with information, 
and a toll-free hot line, 877-533-8082.

By the third week in December, the hot line had answered about 30,000 
calls on the subject, Hampton said.

On the day that UCLA says it discovered the break-in, UCLA Today 
magazine ran an article on the new director of campus computer security 
under the headline, "IT Expert Protects Campus From Cyber Attacks."

College databases are attractive to hackers because they typically have 
Social Security numbers. The federal government requires students who 
apply for financial aid to use their Social Security numbers as 
identifiers, so colleges must keep them on file.

Also, many colleges have used Social Security numbers to identify 
students. To prevent identify theft, a state law is ending that practice 
in California.

UC Irvine records were not involved in the break-in. No one at UCI would 
talk about computer breaches there, but the campus issued a statement 
saying that a few minor incidents had occurred in the past.

"In our case, all the incidents were addressed, which of course included 
notifying those affected," UCI spokesman Jim Cohen said in the 
statement. "This is a threat institutions such as UCI face every day and 
we suspect that no institution of our size, despite everyone's efforts, 
has proved invulnerable."

Cal State Fullerton stopped using Social Security numbers as student IDs 
in 2004, replacing them with different nine-digit numbers.

Cal State Fullerton's chief information technology officer, Amir 
Dabirian, said the campus security system repelled 270 million attempts 
to penetrate its firewalls last year from Internet attacks, viruses and 

"We do the best we can," Dabirian said. "If you don't monitor the system 
very closely for breaches, you could have the system breached and not 
know it."

UCLA's case is the kind of scenario that keeps Dabirian and his peers up 
at night.

He said one mistake UCLA probably made was maintaining such a large 
database filled with personal information on not only students but also 
alumni and parents.

"Obviously, they don't have 800,000 students there. It is something we 
looked at a long time ago and removed our alumni from" the student 
database, Dabirian said. "We don't keep Social Security numbers in our 
alumni database. Other institutions should also aggressively take those 

"I think they have done the best they can. Unfortunately, this incident 
proves you can't be perfect," he said.

Steidel's problems occurred in October, when charge accounts were opened 
in her name in the San Fernando Valley, mostly around Northridge. The 
thieves had created bogus driver's licenses to match her name and used 
her real address to open the accounts at J.C. Penney, Macy's and Best 

Steidel uses K. Lee Steidel as her legal name, and one thief simply made 
up a driver's license as "Kenneth Steidel."

They used their instant store credit to buy thousands of dollars in gift 
cards and, at Macy's, an $894 Coach purse.

"I don't even carry a purse," Steidel said.

Macy's even closed her existing, legitimate account in favor of the new, 
fraudulent account.

At Sears, the thief was notified that Steidel already had an account, 
which he then used to buy $3,500 in gift cards, using a fake driver's 

Sears issued a statement saying it takes "the security of our customers' 
information very seriously."

The purchases at J.C. Penney qualified Steidel for "Privilege Gold" card 
status, which she learned when she got a new card in her mailbox.

Responding to a reporter's query, a spokesman for GE Money, which 
operates Penney's credit-card program, said in a statement that Steidel 
"was not held liable for any fraudulent charges, and the account was 

The only store that turned the thieves down was Target something she 
learned after receiving a rejection letter addressed to Kenneth Steidel.

"I must applaud Target. It was the only retailer who checked the 
application and declined, thank goodness," she said.

Steidel said she was unable to get answers on the UCLA hot line, so she 
called UCLA's legal counsel office. She wanted to know why a hacker had 
been able to break into the university's system for 13 months without 

Steidel said a lawyer at UCLA told her the problem was uncovered when 
technicians noticed a significant number of records being transferred to 
China. Forensic experts found retroactive break-ins, she said.

UCLA spokesman Hampton was unable to confirm Steidel's information about 
the break-ins.

She said the university was not offering financial assistance to 

"I have spent 76 hours working on this so far," Steidel said. "I 
contacted all the creditors' fraud departments, and then you have to 
file a crime report with the sheriff."

While the fraudulent charges will be removed from her bills, she can't 
buy the new car she wants because of the fraud alerts on her credit 
reports and the high debts her credit report shows.

"I think we should get free classes for the rest of our lives for this," 
Steidel said.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Jan 08 2007 - 01:14:45 PST