[ISN] Database breach investigation ongoing

From: InfoSec News (alerts@private)
Date: Fri Jan 11 2008 - 00:37:30 PST


http://www.dailybruin.ucla.edu/news/2008/jan/10/database-breach-investigation-ongoing/

By Julia Erlandson, 
Daily Bruin senior staff 
January 10, 2008

One year after a breach of a university database compromised students 
personal information, UCLA officials say they are continuing to track 
the case and bolster security.

In December 2006, administrators alerted the campus community that a 
hacker had accessed a UCLA database containing the names and Social 
Security numbers of over 800,000 current and former students, as well as 
faculty and staff members.

Though the database did not contain students credit card or bank 
information, the hacker did appear to have accessed some Social Security 
numbers, which can be used to steal a persons identity.

An ongoing investigation has found no evidence of identity theft 
resulting from the breach, though affected students should still be 
vigilant, said Jim Davis, associate vice chancellor for information 
technology.

Since the incident, university officials have worked to protect students 
Social Security numbers, Davis said.

UCLA needs Social Security numbers for financial aid purposes, since 
they need to report information to the Internal Revenue Service. But 
Davis said administrators have minimized the use of Social Security 
numbers since the breach.

Weve found a number of places where we can limit and even eliminate the 
use of Social Security numbers, he said.

He added that in cases where the university does not need to report to 
the IRS, officials can often use other identifiers for students, such as 
the last four digits of a Social Security number rather than the full 
number.

Applicants to the university must submit their Social Security numbers, 
but those numbers are deleted after two or three years, Davis said. 
Still, at any given time university databases contain around 200,000 
current and former applicants Social Security numbers.

UCLA has also continued its investigation into the security breach and 
over the past year was able to unearth additional details, Davis said.

He said the investigation determined that the hacker gained access to 
28,600 Social Security numbers, and those people were sent additional 
notifications.

Over 18,000 of those numbers came from students financial aid 
applications submitted between 2002 and 2006, according to a letter from 
then-acting Chancellor Norman Abrams.

UCLA has also been working with the FBI, and investigators were able to 
trace the hack to a foreign country, though there are no suspects.

Davis emphasized that the hack was extremely sophisticated, which makes 
it more difficult to track.

So far, the hacker does not appear to have actually used any of the 
Social Security numbers, though Davis said that is still a possibility.

We continue to be careful and monitor this, he said. Social Security 
numbers are (sometimes) held for several years and then used.

Lowell Kepke, deputy director for the Social Security Administration in 
San Francisco, said Social Security numbers can be used to open credit 
in someone elses name, so potential victims should be on the lookout for 
any odd credit card or bank activity.

Check credit card statements to make sure all the charges are really 
yours, he said. If someone gets a specific sign that somebodys taken 
their Social Security number and is really using it, call credit card 
companies, banks, and call the three credit agencies (to alert them to 
the fraud).

Kepke added that everyone is entitled to one free credit report per 
year, available online at freecreditreport.com, a Web site that can 
reveal whether there has been any fraudulent activity.

In the wake of the data breach, UCLA set up a Web site for concerned 
students, and Davis said university officials continue to maintain and 
update the site: www.identityalert.ucla.edu/index.htm.

On the Web site, Abrams encouraged affected students to place fraud 
alerts on their credit accounts and to alert credit agencies.

Davis also emphasized personal responsibility in preventing identity 
theft. Students should create non-obvious passwords, at least six 
characters in length, and should never give out personal information.

He added that the university employs virus scanning to combat security 
issues.

One of the most important ways servers get infiltrated is by viruses, he 
said, adding that some key-logging viruses are able to record passwords 
and other information typed onto a computer. Generally speaking the 
machines on campus are monitored (for viruses) pretty carefully.

But he noted that security is an ongoing issue for any large university 
or company.

We are continually under attack, he said. We are continually probed for 
vulnerability ... in the high tens of thousands (of attempted hacks) per 
day. Weve had some scares.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Fri Jan 11 2008 - 00:47:57 PST