UCLA Hacked, 800,000 Identities Exposed 148
An anonymous reader writes "The Washington Post reports that a central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked. Several other UC campuses have also been involved in significant data security incidents over the past few years." From the article: "'To my knowledge, it's absolutely one of the largest,' Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times. Petersen said that in a Educause survey release in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised, the newspaper reported."
wow! (Score:1)
800,000 people are going to be pissed as shit
Re: (Score:1)
Re: (Score:1)
Re:wow! (Score:5, Interesting)
My name was on the list. Hooray!
I was just about to submit this story myself. Here's UCLA's official website devoted to the whole incident: Link [ucla.edu]
I wonder, will there be a point in time when we hold accountable either the credit agencies for their broken system or organizations we are forced to trust with our data for not keeping it safe?
Re:wow! (Score:4, Funny)
Re:wow! (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
And how do you remember what you wrote? (Score:2)
The whole point of getting your SSN is to set up an account for your data.
If you lie, you had better be able to remember what you wrote - otherwise good luck getting access to your account.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
especially people like me who applied to the school years ago and never attended. why are they storing SSNs of people that are not students or employees? my info should have never been in there to steal in the first place.
Re: (Score:2)
Re: (Score:2)
Re:wow! (Score:5, Insightful)
Correction.
11 people are going to be pissed as shit.
34 people are going to panic.
72 people are going to wonder if the story is relevant to them.
284 people aren't going to realise the story is relevant to them.
799599 people affected aren't even going to hear about this, let alone care.
There is a silent majority. It's silent because its too apathetic to speak.
Re: (Score:2)
Re: (Score:1, Interesting)
Criminals typically do one of three things with a Name/DOB/SSN:
1) Try to obtain credit in your name
2) Open a bank account and use it for money laundering, bogus checks, ebay fraud, and various other scams
3) Give your info when they get arrested
1) will show up on your credit report eventually. With 2) or 3) you might not find out about it for awhile.
E-mail sent to UCLA students, faculty, and staff (Score:5, Informative)
December 12, 2006
Dear Friend,
UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA's current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current and some former faculty and staff at the University of California, Merced, and current and some former employees of the University of California Office of the President, for which UCLA does administrative processing.
I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused.
The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information.
Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.
In addition, UCLA has notified the FBI, which is conducting its own investigation. We began notifying those individuals in the affected database as soon as possible after determining that personal data was accessed and after we retrieved individual contact information.
As a precaution, I recommend that you place a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent. For details on how to take these steps, please visit http://www.identityalert.ucla.edu/what_you_can_do. htm [ucla.edu].
Extensive information on steps to protect against personal identity theft and fraud are on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http://www.privacy.ca.gov [ca.gov].
Information also is available on a Web site we have established, http://www.identityalert.ucla.edu [ucla.edu]. The site includes additional information on this situation, further suggestions for monitoring your credit and links to state and federal resources. If you have questions about this incident and its implications, you may call our toll-free number, (877) 533-8082.
Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to rel
Re:E-mail sent to UCLA students, faculty, and staf (Score:2)
A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent.
Gee, it isn't that way by default? I would expect that that information too would be safeguarded...
What are the credit implications for placing a freeze on that information? Does it affect credit scores in any way? If not, I would like to place one on my own, just for fact that I don't want anybody looking at that information withou
Re: (Score:1)
Nope. Unless you've specified such a freeze, anyone who has subscribed to the credit bureau can see your credit history. Credit card companies routinely scan such histories to determine who to send those unsolicited "You have been approved f
Re:E-mail sent to UCLA students, faculty, and staf (Score:4, Insightful)
It should be illegal to treat the SSN as proof of identity anyway. What kind of password has the following properties?
o Less than a billion possible values
o Part of it based on your place of birth
o You're required to disclose it to dozens or hundreds of places
o Any credit-granting company can order a report and look at it
o It never changes
Re:E-mail sent to UCLA students, faculty, and staf (Score:3, Insightful)
He regrets having to inform us, not that they were hacked.
Re: (Score:3, Interesting)
He regrets having to inform us, not that they were hacked.
Liked this quote (Score:1)
The line doesn't add anything except the realization that they are trying to cover their ass. Of course they don't have any evidence of what the intruder did with the data.
They do have proof of misuse though... Unauthorized access is misuse!
Re: (Score:2)
You mean the sophisticated hacker. Is anyone else interested in what evidence they have that this was the work of a formidable enemy rather than mere incompetence on their part?
Re:E-mail sent to UCLA students, faculty, and staf (Score:1)
Why isn't this automatic? Nobody should have the ability to check someone's credit without their consent. It should be the 'default' setting.
One way to help protect... (Score:4, Insightful)
Re: (Score:3, Interesting)
When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...
Except that would just mean that when the hackers get their spreadsheet full of information on 800,000 people, they just have to remember to look to the "SSN" column instead of the "Student ID" column to get the information they want. The school will still collect your SSN whether they use it as your ID or not. The question merely becomes whether it is your SSN or some randomly generated number that they put on your ID card.
Re:One way to help protect... (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Many schools now are using ids rather than social security numbers. They are not random, but sequential in order of admittance to the school. As I recall, I had to use my social security number only once, and that was as validation for my student id.
Re: (Score:2)
These people looked deep within my soul and assigned me a number based on the order in which I joined.
Re: (Score:2)
From the beginning actually. Cards say on 'em "Not to be used for ID" or something like that. However, it has always been a "mostly" unique number, so someone somewhere decided to start using it as a unique identifier in their database (or rolodex at that point most likely) and its just gotten worse since...
Re: (Score:2)
I suspect this database was a finantial one of some sort... one where they actually needed the SSN for its real purpose -- reporting earnings and such to the IRS and the Social Security Administration.
Now why they still retain that information for people who've been out of the system for years is beyond me. That'll pro
Re: (Score:2)
Given this practice, it boggles the mind that there was a table left unguarded somewhere that had the actual SSNs. I'm thinking financial aid is the culprit here (since all the load papers demand your SSN). Either that, or admissions, since that would be pre-issuance of your UCLA ID.
What was the hack? (Score:2)
It's scary how much information is being reported as leaked every couple months.
Re: (Score:1)
Santa Claus says "security? ho ho ho!" (Score:5, Insightful)
Make one mistake and you've got no security.
As such, it is problematic to have vast databases of highly valuable information protected by "security".
The result will be a constant flow of database violations.
Unfortunately, by and large, the a database provides a large and ongoing bureaucratic benefit to an organisation, whereas the pain of data loss is primarily born by the people described by the database.
The only response we have as individuals is to keep our details as secret as possible.
It's difficult because it is "virtual". (Score:2)
Sort of. The problem with getting everything right is that you're dealing with non-physical concepts. If people were dealing with a physical structure it would be easier for them to understand and get it "right". Or at least closer to "right" than we currently see.
For example, important physical records are kept in a safe. The safe is in someone's office. The office is locked. If someone sees someone else going through the safe, most o
Re: (Score:2)
It would be easy for them. How much does a "market research" firm cost to buy outright? How much money could a big crime syndicate muster?
Reminds me of Bruce Schneier talking to Verisign about how much it woulc cost an attacker to compromise their ultimate root certificate. If all else failed, they figured that a $15 million down payment would swig a leveraged buyout of Verisign.
Far, far less. (Score:2)
Why spend that much money on something you can get for a few thousand in gambling debt or drugs?
You don't have to own the company if you can pwn an employee with the right kind of access.
And the payoff would be millions of times greater than that "investmen
Re: (Score:3, Insightful)
You are assuming rational due diligence was in fact even attempted. These are institutions run by politicians.
Not if you have really done your homework. You NEVER rely on one system. When the second system catches a violation, you promptly deal with it.
One has to ask, why did it take so long to notice? Think about all the others that are not even watching?
Computer security is all abo
Re: (Score:2)
I don't agree. Isn't one of the basic principles of security to use multiple layers? Firewall, IDS, TCP wrappers, strong passwords, etc. Insert various other security methods anywhere in the chain and you can be well defended. If I make a mistake in my firewall config, I should still be reasonably sure that I won't be totally compromised.
Re: (Score:2)
>Make one mistake and you've got no security.
We're used to thinking that because good security design is so rare. Imagine if all ships and boats were guaranteed to sink the instant a hole opened in the hull. Good design contains failures. Maybe, just maybe, UCLA's database had a view that left out the SSNs and that almost all users were required to use. Anyone seriously think they did it that way? Not to mention how long it too
Good Target (Score:3, Interesting)
Re: (Score:2)
It's time to make the SSN database public (Score:5, Interesting)
Re:It's time to make the SSN database public (Score:5, Insightful)
Unfortunately, there's no easy answer. SSN's already in use as an id and until something else better comes along, we have to use it. So what should we in IT do? First, reduce easy access to the number. When designing systems, issue a id that is unique and ONLY works with your system. If you need a way of identifying people in the real world, file the SSN and then reduce access to it. Only let the people who need that number have access to it. In the case of colleges, only financial aid and possibly select people records and registration need to see it. Everyone else MUST use the institution specific id.
The big issue for some higher ed systems is that they used some unsecure methods for far too long. One system in particular up until about 2-3 years ago was using telnet in their client! It was not even SSL'd!
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Personally, I wouldn't mind seeing fingerprints, DNA or Retina Scan based systems.
If you think getting your compromised social security number changed is hard, you should see what it takes to change your retinas. Or DNA...
Biometrics are useful security tools, but you have to keep in mind that they are only passwords. They're convenient passwords, in that you can't forget them (though you *can* lose them!), and they're fairly high-entropy passwords as well, making them hard to guess. However, they're unchangeable passwords, and you leave copies of your fingerprints and DNA pretty w
Re: (Score:2)
What about the old addaggio? "Something you have, something you know, something you are". This triplet is equally valid for low, mid and high level security. It doesn't seem so hard to get even within a PHB skull. Then, why things are *so* badly broken by design? (remember the article: there were a *single* hole within a *single* app, and somebody got *full* access to a mid privacy level database. Multilayer security some
Re: (Score:2)
It's valid for all environments, but it's too inconvenient and too costly for most. If you can justify the cost, and if you can implement it so that it's convenient enough that the users won't just find ways to avoid it, then by all means do it.
Re: (Score:2)
Re: (Score:3, Informative)
Myth. SSA site [ssa.gov] (link may not work due to silly session cookies)
Re: (Score:2)
Re: (Score:3, Interesting)
Although the original legislation for SSN's states that it is not meant to be a sort of national identification number, this seems mainly aimed
Re: (Score:1, Troll)
Actually, all UPC barcodes contain 666 already (Score:1)
Decode the bars and you'll find that it's true.
So, if you barcoded my SSN and forced me to wear it on my hand or forehead... Bingo, 2000-year-old prophecy fulfilled!
Re: (Score:2)
Can you explain then, please, how is it that this kind of problem is *exclusive* to the USA in the whole world?
Can you please explain me how all european countries (to name some you might find liminary civilized) have no problems *at all* with your "dificult to manage" unique-ID issue?
Re: (Score:2)
I thought it already was!
Students? (Score:4, Funny)
All I know is that the school better not be heavily promoting its computer security courses.
Re: (Score:2, Interesting)
IT budget for next year... (Score:1)
The scary thing.. (Score:3, Interesting)
ohh.. look at Johnny's sparkly new Ph.d. or M.D.
imdemnification against data breach .. (Score:2)
at first glance (Score:2, Funny)
Re: (Score:1)
As an alumnus... (Score:3, Funny)
Telling quote... (Score:1, Insightful)
So, a single software flaw got them past "all security measures." Sounds like some heads need to roll, s
since, from (Score:4, Interesting)
Am I the only one who cringes when he reads this sentence.
Better off? (Score:1)
lucky me (Score:1)
Re: (Score:1)
who knows what the future holds?
Extrapolating from the data in the link above there will be many more incidents in the future, perhaps 600 next year.
Re: (Score:1)
Your SSN is probably already being used by an entire family of illegal aliens to get work and have accounts. Credit Bureaus, banks, credit card companies, employers, even the IRS aren't obligated to tell you when someone else is using your SSN without your permission. Investigations have found that some SSN's are used by up to 30 people. This stuff doesn't show up on your credit report. Some day you'll get some collections agency looking for money you owe
And then... (Score:2)
Maybe when companies/organizations trusted with information that leak it start getting sued by the people they are "protecting."
At my school they used the last 4 numbers of your social security number as part of your email. Org
suits over this would not be categorized (Score:2)
This incident is negilgent, possibly bordering unto criminal if they can figure out if some people knew about it earlier. Seeing that their a school I wonder what their liability is? I didn't check but is UCLA still considered a government entity? If so they may be already protected by law. Lots of laws that come along that punish businesses purposely exclude government agencies from the very same.
what worries me is... (Score:2)
For eaxmple - they only went after applicants, collected the information, and dropped it from the server. There would be no existing student/faculty to wonder why there data was missing, and on top of that, if they did it at the right time, there might not even be a backup to verify it was ever there. Thus, the victim gets no warning whatsoever, and the thief gets an even longer time to escape.
I hope the invest
Actually... (Score:1)
Having worked as the IT person in charge of a University database...
...and that's just off the top of my head.
Re: (Score:2)
They call this a "data Valdez." (Score:2)
Maybe actual fraud will end up fixing this? (Score:3, Interesting)
You'd think that at some point, just about everyone in the U.S. will need to put "fraud alerts" on their credit profiles!
As bad as it sounds, I think it's going to take real financial losses of an almost unmanageable sort for the lenders and credit agencies to say "Enough!" and find new ways to protect consumer info.
Call me the devil but... (Score:1)
pwned (tagging beta) (Score:3, Funny)
Incompetent Academics (Score:2, Funny)
Always Blaming Hackers
To Cover Their Asses!
Re: (Score:1)
Therefore, I've decided to fix it:
Dumb Academics Constantly Blaming Hackers To Cover Their Ass!
For gov't use only (Score:1)
Their hotline database is offline (Score:3, Interesting)
Re: (Score:2)
Idiots.
And this happens the same week a mortgage company lost my parents's financial info for their home loan.
Today's Private info loss (Score:1)
Same Thing, Different Place (Score:1)
I want the real story (Score:2)
Yes, I'm hoping it was a Microsoft shop, top-to-bottom. 8-)
Approaching the breaking-point? (Score:2)
Am I a cynic, or are we approaching the breaking-point?
At last count, we had 300,000,000 Americans roaming about. Let us assume that 100% of these people were issued SSN's (wrong thread for an illegal immigration debate). 800k out of 300,000k is 0.26%. In other words, this single incident has compromised AT LEAST 0.26% of
It's simple... (Score:2)
Re:This says it all - The rest of the story (tm) (Score:2, Informative)
Re:Universities shoud allow CS departments more sa (Score:2)
Granted, there are many college IT shops who would never make the call to t