Slashdot Mirror


Whopping-Big Data Theft At U.C. Berkeley

aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."

8 of 380 comments (clear)

  1. Worst. Intrusion. Ever. by Indy+Media+Watch · · Score: 4, Insightful
    CNET calls it the worst intrusion U.C. Berkeley has experienced

    No. It's only the worst intrusion they were made aware of. There could have been more...

    --

    Indy Media Watch-Proctologist of the Internet

  2. Why did they need all of that data? by ericzundel · · Score: 5, Insightful

    It makes you wonder...

    Why does a research program need access to social security numbers, phone numbers, and the like?

    I think the real story is the State of California sharing too much personal information, regardless of how the hacker got access to it.

  3. One has to ask the question by TuballoyThunder · · Score: 4, Insightful
    What purpose does it serve the researchers to have SSN's? The purpose of the study was to study the impact of wages on in-home care. Likewise, the names are irrelevant to the researchers. The agency that provided the data should have eliminated the names and SSN's and replaced them with a unique identifier.

    This smacks of laziness on the part of the data provider and the researcher(s).

  4. Re:Guess What by garcia · · Score: 4, Insightful

    I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws.

    As you all probably know I'm the last person that thinks that we should create laws due to overreaction but in this case I have to say that we do need more stringent laws against protecting SSNs.

    There is absolutely no reason that a researcher needed access to SSNs. They should have all been assigned a random ID number and that should have been linked back to the SSNs and stored in the STATE OFFICES ONLY for later cross referencing.

    We have all these demands for SSNs and we are supposed to be protecting them as our entire history is linked to them yet we don't have any real protections when they are.

  5. Re:Yeah by NardofDoom · · Score: 5, Insightful

    A wise man once said "A society is stable when some nut guns down a schoolyard and the laws *don't* change."

    --
    You have two hands and one brain, so always code twice as much as you think!
  6. Outsourcing anyone? by mhollis · · Score: 4, Insightful

    This may be seen as slightly offtopic, but the company I work for has outsourced payroll. Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of birth as well as a lot of financial information giving access to the earnings of many for many years.

    I'm wondering when the Indian company (or some person within that company) decides to legally sell that information to some Moldavian Mafiosi. I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans. Might violate a contract but who's paying more?

    Does your company outsource payroll?

    --
    Gods don't kill people, people with gods kill people.
  7. Re:Not Illegal by clausiam · · Score: 5, Insightful

    But that is completely insane. They're saying you can refuse to give it but that may mean you have to go without the service requesting it and then they mention a utility as an example and say "the choice is yours". So if you want to keep your SSN as private as possible you may have to live without electricity and water? It that what they call choice? /Claus

  8. Re:I worked on this project... by jonfelder · · Score: 4, Insightful

    So basically you blame IT, Microsoft, STATA, and Arnold instead of having the researchers take any of them blame themselves for being unable to generate usable random IDs. Why didn't they just generate their own random 9 digit identifier and delete the SSNs?

    Why didn't they make sure the box was secure by never putting it on the Internet?

    Granted yes, Microsoft software has vulnerabilities, STATA may suck, IT support may be stupid, and the state may have been negligent in distributing sensative data this way, but don't you think the researchers have some responsibility for this as well?

    The researchers knew it wasn't good to have SSNs in the data and (according to you) had strict rules about network access because it wasn't a Berkeley box. Yet, they put the box on the Internet anyway with unobfuscated SSNs.

    Don't you think those actions on the part of the researchers require them the share in the responsibility?