Slashdot Mirror
Whopping-Big Data Theft At U.C. Berkeley
aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
It's "copyright infringement".
Interesting. A few years ago there was a smaller such incident at the Berkeley Traffic Safety Center.
Should be quite easy to fix, now give new name and social security name to everyone involved.
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
Are they allowed to do that? Without notifying the state at all? Especially considering that the data that was lost belongs to the state.
Already UC is having a lot of trouble in the (mis)handling of national labs and a few other problems, this would only compound it. Damn.
The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.
The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...
No. It's only the worst intrusion they were made aware of. There could have been more...
Indy Media Watch-Proctologist of the Internet
It makes you wonder...
Why does a research program need access to social security numbers, phone numbers, and the like?
I think the real story is the State of California sharing too much personal information, regardless of how the hacker got access to it.
ayershome.org/users/eric
1.4 million Social Security numbers.
Two things have come out of Berkeley, Unix and LSD. It is uncertain which caused the other.
Indy Media Watch-Proctologist of the Internet
This smacks of laziness on the part of the data provider and the researcher(s).
I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws.
As you all probably know I'm the last person that thinks that we should create laws due to overreaction but in this case I have to say that we do need more stringent laws against protecting SSNs.
There is absolutely no reason that a researcher needed access to SSNs. They should have all been assigned a random ID number and that should have been linked back to the SSNs and stored in the STATE OFFICES ONLY for later cross referencing.
We have all these demands for SSNs and we are supposed to be protecting them as our entire history is linked to them yet we don't have any real protections when they are.
A wise man once said "A society is stable when some nut guns down a schoolyard and the laws *don't* change."
You have two hands and one brain, so always code twice as much as you think!
On the contrary, most major universities have the staff, software, equipment, and knowhow to maintain tight control over the network, it's that their hands are tied by professors who demand complete access to whatever they want in the name of accademic freedom and by the students who are paying $X thousands dollars for the experience, and by god, are going to use their $P2PSOFT.
My 27,000 student body university weathers most of the worms better than most large businesses, despite having little control over the computers on the network. And we keep our key servers safe. Assuming a lack of zero day exploits (as is true in this case), there's no reason an important server is any less safe in an accademic environment than a corporate one. Someone was asleep at the wheel, and you'll find that anywhere.
http://ist-socrates.berkeley.edu:7015/protected. data.html
Hope you find it to be as educational on this subject as I did
Chris Williams clw7500nc@gmail.com
This may be seen as slightly offtopic, but the company I work for has outsourced payroll. Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of birth as well as a lot of financial information giving access to the earnings of many for many years.
I'm wondering when the Indian company (or some person within that company) decides to legally sell that information to some Moldavian Mafiosi. I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans. Might violate a contract but who's paying more?
Does your company outsource payroll?
Gods don't kill people, people with gods kill people.
They should have cleaned the data and removed the SSN. When we pass information outside the company we remove any reference to the SSN and replace it with a zero padded sequence to the same length as the SSN. If they ever need to know who the individual is they can give us this sequence number and we can look them up. Our plans are to remove any possible reference to the SSN in the database and replace them with a good old fashion sequence number (IE Customer number). Only payroll will have a table that links the sequence number to the SSN (a must when filing taxes).
My Sig indicates the end of the comment I posted.
And there still is no SSL support on IMAP server(s). To protect my account, I have to ssh in and create a tunnel -- this way I am only exposed to a hacker already on the department net...
The only real admin I know there seems quite competent, but either he is overloaded by work or the security just is not a high priority, I guess...
They have a nice policy, of keeping accounts of alumnis alive for as long as they are active, though.
In Soviet Washington the swamp drains you.
Can you provide a reference that it is illegal?
Seriously, this is not a troll....I see this statement often and I want to know if it's an urban myth or not.
I was working on this project, and I'll tell you I was extremeley disheartened to learn people would try and sabotage this project. It is for a really good cause (if you believe in unions that is, I don't, but it was still for a good cause) and I hope the project isn't jeapordized beyond repair because of this. For those who might have guessed, the system that was hacked was a Windows 2000 Pro box running SQL Server and a statistics program called STATA. The box was only up and running while retrieving data and was turned off the rest of the time while I was on the project. There were very strict rules about letting the box onto the network since it wasn't a Berkeley box, but then they took the box and put on their own security software which supposedly made the data safe. I can give you the name of the IT guy in charge if you want. Many of you are listing reasons for not having the SSN's on the database, and that they should have been kept at the state level and then the state give us unique identifier numbers. In actuality, the state does not provide that service, and only provides the data from several databases. We ourselves then created unique identifiers because we needed very specific samples from different populations of California. This identifier was made with a combination of people's relations, their ethnicity, and their social security number. You'd be surprised how many people in California have the same name. Also, although maybe not the best reason in some programmer's opinion - it was easier to separate people by their SSN because STATA didn't present a way to compare strings in a useful enough manner so as to use a combination of name and zipcode. And if you are wondering why we had names and addresses and phone numbers, it is because we called and mailed these people ourselves. Our first mailing - worked a 22 hour day, and tried about four different assembly lines! The state didn't help at all - and in the current time when we have idiot Republicans like Arnold (I can't spell his last name) who thinks fixing a state budget crisis involves cutting the budget of an already failing program and driving MORE people into poverty, I don't think you can expect them to help us tell them how and why they are wrong. I'm no longer on the project (got shipped overseas) but the people working on it are rock solid individuals, and personally, as a former IT guy myself, I blame the morons who worked IT at the division this project is taking place. I understand Berkeley is huge, but for a University that supposedly is "computers" - they have a lot of people with absolutely no clue.