Slashdot Mirror


Whopping-Big Data Theft At U.C. Berkeley

aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."

8 of 380 comments (clear)

  1. Traffic Safety Center by 2.7182 · · Score: 5, Interesting

    Interesting. A few years ago there was a smaller such incident at the Berkeley Traffic Safety Center.

  2. Re:suprising... by metlin · · Score: 4, Interesting

    The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.

    Are they allowed to do that? Without notifying the state at all? Especially considering that the data that was lost belongs to the state.

    Already UC is having a lot of trouble in the (mis)handling of national labs and a few other problems, this would only compound it. Damn.

  3. SSNs or not? by garcia · · Score: 4, Interesting

    The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.

    The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?

    The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.

    And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...

    1. Re:SSNs or not? by Fedallah · · Score: 4, Interesting
      And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...


      Both my wife and my mother-in-law are most likely contained in that database (my wife as a former IHSS caregiver, my mother-in-law as a current IHSS care-receiver), and this is the first I've heard of this break-in. To be honest, I feel betrayed the state of California's apparent lackadaisical approach to guarding these social security numbers. Why would these numbers be shared with a university for research purposes anyways? It really doesn't make sense anyways, and I don't recall my wife signing any type of release to allow this personal information being used for research purposes. I guess it's time to go safeguard against identity theft (not to mention contemplate the potential success of a class action lawsuit against the state of California on grounds of negligence.)
  4. Universities notorious by bigberk · · Score: 3, Interesting

    Universities are notorious for having poor network security! They typically don't have sufficient staff to maintain such tight control over network access. Why would such sensitive information be kept on inherently vulnerable networks in the first place?

    1. Re:Universities notorious by mi · · Score: 4, Interesting
      Indeed. It took years for my ex-school to switch to ssh and ban outside telnet-ing. At the conclusion of one discussion, the head admin said, that she is still not convinced, they need ssh, but that she might consider disabling rsh... May be, because it is a government-run school, I don't know.

      And there still is no SSL support on IMAP server(s). To protect my account, I have to ssh in and create a tunnel -- this way I am only exposed to a hacker already on the department net...

      The only real admin I know there seems quite competent, but either he is overloaded by work or the security just is not a high priority, I guess...

      They have a nice policy, of keeping accounts of alumnis alive for as long as they are active, though.

      --
      In Soviet Washington the swamp drains you.
  5. How many intrusions went undetected? by theluckyleper · · Score: 3, Interesting

    The thing that worries me about these sorts of news articles is the fact that there are probably 10x as many similar intrusions which go undetected. I imagine that most crackers worth their salt would be concerned with covering their tracks!

    Which is why I always say "NO" when asked by online stores, "Would you like us to remember your credit card number for future transactions?" I think they need a "HELL NO!" option :)

    --
    Visit the Game Programming Wiki!
  6. SSN as National ID card (was:Re:Not Illegal) by e-gold · · Score: 3, Interesting

    I still have my SS card issued in the 1960s. It says, and I quote:

    "FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION."

    (The ALL CAPS is what's on my original card, I'm not "shouting"!)

    I'm sure there are reams of Social "Security" (ok, my classical-liberal bias is showing with the quote-marks, but bear with me. After all, there's NO TRUST FUND, it's all a BUNCH OF I.O.U.s!!!) documents which form various interpretive rules and laws that can't be fathomed by mere mortal nonlawyers, but ask yourself a couple of questions:

    1. Why would so many folks think it's illegal, if it's not?

    2. Why does my card say what it says, but modern cards make NO MENTION of the fact that it's allegedly "not for identification"? Did something change? When?!? Who voted for it???!!!

    Expanding government, when you lie to do it (and the lie was that the SSN was/is not gonna be used as a de-facto National ID card/number) is morally-wrong. Various events/excuses (I can see a 9/11 thread looming, so I'm trying to pre-squelch that now) don't make the moral-wrong of lying to expand government suddenly become right. If you want to expand government, say "I will make the government bigger, and this is why..." and then make an HONEST argument for once! Ok, rant-over. Back to work.
    JMR

    --
    Try e-gold - (contact me). I'm NOT e-