Slashdot Mirror

← Back to Stories (view on slashdot.org)

Whopping-Big Data Theft At U.C. Berkeley

Posted by timothy on from the what-pleasant-fellows dept.

aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."

14 of 380 comments (clear)

  1. Traffic Safety Center by 2.7182 · · Score: 5, Interesting

    Interesting. A few years ago there was a smaller such incident at the Berkeley Traffic Safety Center.

  2. Re:suprising... by metlin · · Score: 4, Interesting

    The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.

    Are they allowed to do that? Without notifying the state at all? Especially considering that the data that was lost belongs to the state.

    Already UC is having a lot of trouble in the (mis)handling of national labs and a few other problems, this would only compound it. Damn.

  3. SSNs or not? by garcia · · Score: 4, Interesting

    The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.

    The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?

    The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.

    And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...

    1. Re:SSNs or not? by Fedallah · · Score: 4, Interesting
      And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...


      Both my wife and my mother-in-law are most likely contained in that database (my wife as a former IHSS caregiver, my mother-in-law as a current IHSS care-receiver), and this is the first I've heard of this break-in. To be honest, I feel betrayed the state of California's apparent lackadaisical approach to guarding these social security numbers. Why would these numbers be shared with a university for research purposes anyways? It really doesn't make sense anyways, and I don't recall my wife signing any type of release to allow this personal information being used for research purposes. I guess it's time to go safeguard against identity theft (not to mention contemplate the potential success of a class action lawsuit against the state of California on grounds of negligence.)
  4. Universities notorious by bigberk · · Score: 3, Interesting

    Universities are notorious for having poor network security! They typically don't have sufficient staff to maintain such tight control over network access. Why would such sensitive information be kept on inherently vulnerable networks in the first place?

    1. Re:Universities notorious by mi · · Score: 4, Interesting
      Indeed. It took years for my ex-school to switch to ssh and ban outside telnet-ing. At the conclusion of one discussion, the head admin said, that she is still not convinced, they need ssh, but that she might consider disabling rsh... May be, because it is a government-run school, I don't know.

      And there still is no SSL support on IMAP server(s). To protect my account, I have to ssh in and create a tunnel -- this way I am only exposed to a hacker already on the department net...

      The only real admin I know there seems quite competent, but either he is overloaded by work or the security just is not a high priority, I guess...

      They have a nice policy, of keeping accounts of alumnis alive for as long as they are active, though.

      --
      In Soviet Washington the swamp drains you.
  5. How many intrusions went undetected? by theluckyleper · · Score: 3, Interesting

    The thing that worries me about these sorts of news articles is the fact that there are probably 10x as many similar intrusions which go undetected. I imagine that most crackers worth their salt would be concerned with covering their tracks!

    Which is why I always say "NO" when asked by online stores, "Would you like us to remember your credit card number for future transactions?" I think they need a "HELL NO!" option :)

    --
    Visit the Game Programming Wiki!
  6. Re:BSD is causing death by TAGmclaren · · Score: 2, Interesting

    What's given you the idea that this was a BSD vulnerability?

    I'm not disputing that it might be the case (and yeah I know what BSD stands for) but how do you know it wasn't Windows or something else?

    --
    Iran has endorsed
  7. What the hobag? by sockonafish · · Score: 2, Interesting

    SecurityFocus's description is no better than CNet's, I thought they'd have more technical details. What system were the running? What exploit?

    Oh, wait, I get it, they probably haven't patched the exploit yet.

  8. Anyone know what OS this was that got hacked? by Viol8 · · Score: 2, Interesting

    Was it Windows, Linux, BSD, Solaris etc?? It doesn't say in the articles.

  9. Re:What OS by mok000 · · Score: 2, Interesting
    Right, it doesn't say. It only says "a research computer" so it could have been anything, even a laptop running Windows. The text also talks about "a well known exploit". This hints that it was indeed Windows. The significant difference in this hacker job is that most exploits install spyware and sends out viruses, while we don't hear about data theft very often.

    IMHO it is highly unlikely that this is BSD.

  10. you miss the point: this WAS the government by tjic · · Score: 2, Interesting
    You miss the point: these people only gave their information to the government.

    It was the government that

    • required their information
    • handed the info out to a third party
    • failed to ensure that the third party took adequate care
    Surprised? You shouldn't be. There's no market pressure on the government. If you're offended at their cavalier attitude, it's not like you can go with a competitor!

    One example of a government agency doing things the right way: about 15 years ago I worked on a university research project that used Census bureau data...but the data had been anonymized before we got it: some fields were removed, some were hashed, and the data had been pruned enough that you couldn't do an exhaustive match against a telephone book.

    In this case, though, it looks like some California agency just handed over the entire database, raw.

    Wonderful.

  11. SSN as National ID card (was:Re:Not Illegal) by e-gold · · Score: 3, Interesting

    I still have my SS card issued in the 1960s. It says, and I quote:

    "FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION."

    (The ALL CAPS is what's on my original card, I'm not "shouting"!)

    I'm sure there are reams of Social "Security" (ok, my classical-liberal bias is showing with the quote-marks, but bear with me. After all, there's NO TRUST FUND, it's all a BUNCH OF I.O.U.s!!!) documents which form various interpretive rules and laws that can't be fathomed by mere mortal nonlawyers, but ask yourself a couple of questions:

    1. Why would so many folks think it's illegal, if it's not?

    2. Why does my card say what it says, but modern cards make NO MENTION of the fact that it's allegedly "not for identification"? Did something change? When?!? Who voted for it???!!!

    Expanding government, when you lie to do it (and the lie was that the SSN was/is not gonna be used as a de-facto National ID card/number) is morally-wrong. Various events/excuses (I can see a 9/11 thread looming, so I'm trying to pre-squelch that now) don't make the moral-wrong of lying to expand government suddenly become right. If you want to expand government, say "I will make the government bigger, and this is why..." and then make an HONEST argument for once! Ok, rant-over. Back to work.
    JMR

    --
    Try e-gold - (contact me). I'm NOT e-
  12. A Similar Situation For Me by jen0r · · Score: 2, Interesting

    I applied for San Diego State University way back in 1998 when I was initially trying to find a school to attend. About 4 months ago I got a notice in the mail saying that Hackers had gained access to the data base that held all of the applicant information (drivers license, SSN, financial awards, PARENTS SSN's, etc.) and that we should all obtain a copy of our credit reports and report any suspicious activity. This apparantly happened in February of this year and I received a message in June notifying me. To be honest, I think it's pretty stupid to keep names and SSN's in a database that is linked to a network. It doesn't seem right, and now I have to worry about Identity Theft because I applied to a University 6 years ago.

    --
    jen0r all your base are belong to... me