Whopping-Big Data Theft At U.C. Berkeley
aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
Interesting. A few years ago there was a smaller such incident at the Berkeley Traffic Safety Center.
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
Are they allowed to do that? Without notifying the state at all? Especially considering that the data that was lost belongs to the state.
Already UC is having a lot of trouble in the (mis)handling of national labs and a few other problems, this would only compound it. Damn.
The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.
The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...
Universities are notorious for having poor network security! They typically don't have sufficient staff to maintain such tight control over network access. Why would such sensitive information be kept on inherently vulnerable networks in the first place?
The thing that worries me about these sorts of news articles is the fact that there are probably 10x as many similar intrusions which go undetected. I imagine that most crackers worth their salt would be concerned with covering their tracks!
:)
Which is why I always say "NO" when asked by online stores, "Would you like us to remember your credit card number for future transactions?" I think they need a "HELL NO!" option
Visit the Game Programming Wiki!
I still have my SS card issued in the 1960s. It says, and I quote:
"FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION."
(The ALL CAPS is what's on my original card, I'm not "shouting"!)
I'm sure there are reams of Social "Security" (ok, my classical-liberal bias is showing with the quote-marks, but bear with me. After all, there's NO TRUST FUND, it's all a BUNCH OF I.O.U.s!!!) documents which form various interpretive rules and laws that can't be fathomed by mere mortal nonlawyers, but ask yourself a couple of questions:
1. Why would so many folks think it's illegal, if it's not?
2. Why does my card say what it says, but modern cards make NO MENTION of the fact that it's allegedly "not for identification"? Did something change? When?!? Who voted for it???!!!
Expanding government, when you lie to do it (and the lie was that the SSN was/is not gonna be used as a de-facto National ID card/number) is morally-wrong. Various events/excuses (I can see a 9/11 thread looming, so I'm trying to pre-squelch that now) don't make the moral-wrong of lying to expand government suddenly become right. If you want to expand government, say "I will make the government bigger, and this is why..." and then make an HONEST argument for once! Ok, rant-over. Back to work.
JMR
Try e-gold - (contact me). I'm NOT e-