http://www.ocregister.com/ocregister/news/homepage/article_1537469.php By MARLA JO FISHER The Orange County Register January 7, 2007 LAGUNA NIGUEL -- Lee Steidel was a bit mystified when she got four new credit cards in the mail, but she figured with the holidays coming up, maybe she could use them. A few days later she got the statements at her home in Laguna Niguel. Someone had stolen her identity and charged $8,000 on cards in her name. To add insult to injury, the thieves signed up for "credit protection" on a Macy's card and donated $25 to charity. Steidel began the long, tedious process of reporting the thefts and repairing her credit, without any idea of how they could have happened. On Dec. 12, she was among 800,000 people notified that their personal information could have been stolen from a database at UCLA in the past year. It was the largest campus security breach in history. Thieves had hacked into UCLA's huge database and mined Social Security numbers for months without detection. "I can't prove my identity was stolen from this UCLA break-in, but it certainly is quite a coincidence," said Steidel, a real estate appraiser who took a UCLA extension class in Westwood last summer. UCLA spokesman Phil Hampton said the university is unsure how many people's Social Security numbers were stolen but that it was probably "in the 5 percent range" of the 800,000 people in the database. That would be 40,000 people. The hacker was able to exploit a previously unknown vulnerability in UCLA's security system to access the database with names, Social Security numbers, birth dates, home addresses and contact information. The database had information about current and former students, faculty and staff members, some student applicants and some parents or students who applied for financial aid. Some UC Merced and Office of the President staff members also were affected. According to UCLA, the security breach was found Nov. 21 when technicians noticed unusual activity. "This was a sophisticated hacker who was able to cover his or her tracks very well, access the database and bypass our diligent security measures," Hampton said. The FBI is investigating the break-in, he said. "We are encouraging people who believe they are victims to file reports with the FBI or local law enforcement," Hampton said. UCLA set up a Web site, www.identityalert.ucla.edu, with information, and a toll-free hot line, 877-533-8082. By the third week in December, the hot line had answered about 30,000 calls on the subject, Hampton said. On the day that UCLA says it discovered the break-in, UCLA Today magazine ran an article on the new director of campus computer security under the headline, "IT Expert Protects Campus From Cyber Attacks." College databases are attractive to hackers because they typically have Social Security numbers. The federal government requires students who apply for financial aid to use their Social Security numbers as identifiers, so colleges must keep them on file. Also, many colleges have used Social Security numbers to identify students. To prevent identify theft, a state law is ending that practice in California. UC Irvine records were not involved in the break-in. No one at UCI would talk about computer breaches there, but the campus issued a statement saying that a few minor incidents had occurred in the past. "In our case, all the incidents were addressed, which of course included notifying those affected," UCI spokesman Jim Cohen said in the statement. "This is a threat institutions such as UCI face every day and we suspect that no institution of our size, despite everyone's efforts, has proved invulnerable." Cal State Fullerton stopped using Social Security numbers as student IDs in 2004, replacing them with different nine-digit numbers. Cal State Fullerton's chief information technology officer, Amir Dabirian, said the campus security system repelled 270 million attempts to penetrate its firewalls last year from Internet attacks, viruses and hackers. "We do the best we can," Dabirian said. "If you don't monitor the system very closely for breaches, you could have the system breached and not know it." UCLA's case is the kind of scenario that keeps Dabirian and his peers up at night. He said one mistake UCLA probably made was maintaining such a large database filled with personal information on not only students but also alumni and parents. "Obviously, they don't have 800,000 students there. It is something we looked at a long time ago and removed our alumni from" the student database, Dabirian said. "We don't keep Social Security numbers in our alumni database. Other institutions should also aggressively take those out. "I think they have done the best they can. Unfortunately, this incident proves you can't be perfect," he said. Steidel's problems occurred in October, when charge accounts were opened in her name in the San Fernando Valley, mostly around Northridge. The thieves had created bogus driver's licenses to match her name and used her real address to open the accounts at J.C. Penney, Macy's and Best Buy. Steidel uses K. Lee Steidel as her legal name, and one thief simply made up a driver's license as "Kenneth Steidel." They used their instant store credit to buy thousands of dollars in gift cards and, at Macy's, an $894 Coach purse. "I don't even carry a purse," Steidel said. Macy's even closed her existing, legitimate account in favor of the new, fraudulent account. At Sears, the thief was notified that Steidel already had an account, which he then used to buy $3,500 in gift cards, using a fake driver's license. Sears issued a statement saying it takes "the security of our customers' information very seriously." The purchases at J.C. Penney qualified Steidel for "Privilege Gold" card status, which she learned when she got a new card in her mailbox. Responding to a reporter's query, a spokesman for GE Money, which operates Penney's credit-card program, said in a statement that Steidel "was not held liable for any fraudulent charges, and the account was closed." The only store that turned the thieves down was Target something she learned after receiving a rejection letter addressed to Kenneth Steidel. "I must applaud Target. It was the only retailer who checked the application and declined, thank goodness," she said. Steidel said she was unable to get answers on the UCLA hot line, so she called UCLA's legal counsel office. She wanted to know why a hacker had been able to break into the university's system for 13 months without detection. Steidel said a lawyer at UCLA told her the problem was uncovered when technicians noticed a significant number of records being transferred to China. Forensic experts found retroactive break-ins, she said. UCLA spokesman Hampton was unable to confirm Steidel's information about the break-ins. She said the university was not offering financial assistance to victims. "I have spent 76 hours working on this so far," Steidel said. "I contacted all the creditors' fraud departments, and then you have to file a crime report with the sheriff." While the fraudulent charges will be removed from her bills, she can't buy the new car she wants because of the fraud alerts on her credit reports and the high debts her credit report shows. "I think we should get free classes for the rest of our lives for this," Steidel said. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Jan 08 2007 - 01:14:45 PST