UCLA Hacked, 800,000 Identities Exposed

An anonymous reader writes "The Washington Post reports that a central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked. Several other UC campuses have also been involved in significant data security incidents over the past few years." From the article: "'To my knowledge, it's absolutely one of the largest,' Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times. Petersen said that in a Educause survey release in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised, the newspaper reported."

E-mail sent to UCLA students, faculty, and staff

[George+Maschke]

December 12, 2006

Dear Friend,

UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA's current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current and some former faculty and staff at the University of California, Merced, and current and some former employees of the University of California Office of the President, for which UCLA does administrative processing.

I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused.

The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information.

Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.

In addition, UCLA has notified the FBI, which is conducting its own investigation. We began notifying those individuals in the affected database as soon as possible after determining that personal data was accessed and after we retrieved individual contact information.

As a precaution, I recommend that you place a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent. For details on how to take these steps, please visit http://www.identityalert.ucla.edu/what_you_can_do. htm.

Extensive information on steps to protect against personal identity theft and fraud are on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http://www.privacy.ca.gov.

Information also is available on a Web site we have established, http://www.identityalert.ucla.edu. The site includes additional information on this situation, further suggestions for monitoring your credit and links to state and federal resources. If you have questions about this incident and its implications, you may call our toll-free number, (877) 533-8082.

Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to rel

Re:It's time to make the SSN database public

[Politburo]

Even now though, older SSN's are being reissued as people die off.

Myth. SSA site (link may not work due to silly session cookies)

We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 420 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

Re:It's time to make the SSN database public

[swillden]

Personally, I wouldn't mind seeing fingerprints, DNA or Retina Scan based systems.

If you think getting your compromised social security number changed is hard, you should see what it takes to change your retinas. Or DNA...

Biometrics are useful security tools, but you have to keep in mind that they are only passwords. They're convenient passwords, in that you can't forget them (though you *can* lose them!), and they're fairly high-entropy passwords as well, making them hard to guess. However, they're unchangeable passwords, and you leave copies of your fingerprints and DNA pretty well everywhere you go.

Because of all of these problems, biometrics should only be used in two scenarios:

• Low-security situations where convenience is at a premium. While biometric scanners can be fooled, it's not trivial to fool them, so if the value of whatever is protected by the security isn't very high, then biometrics are adequate from a security perspective, and have great convenience characteristics. They're especially useful in circumstances where the most likely alternative is no security at all. Note that there are some gradations within this category, based on whether the biometric is being used for identification, authentication, or both. If both, then either the population had better be very small, or the security requirement very, very weak, because the birthday problem is going to be a major issue.
• Very high security situations where the scanning station is attended by a trained, watchful guard tasked with assuring that scans are done properly and/or multiple authentication factors are used, such as a password, smart card or other physical token *and* a biometric scan (or two!).

The sort of high-volume, medium-security authentication required for most financial transactions is not a good application for biometrics. Granted that biometrics would increase the security if added to the current set of varied and generally weak mechanisms used, but if biometric authentication were actually deployed, it would almost certainly be used to *replace* the current mechanisms, not augment them. That wouldn't help and would probably hurt. Further, the application of biometrics would delay the application of better security, raise lots of privacy concerns, etc. It's not a good idea, sorry.

Re:This says it all - The rest of the story (tm)

[DenDude]

Yeah, the server that you mention may be 2003, but all of the other servers on netcraft show linux/apache. http://toolbar.netcraft.com/site_report?url=http:/ /www.ucla.edu