Slashdot Mirror

← Back to Stories (view on slashdot.org)

UCLA Hacked, 800,000 Identities Exposed

Posted by Zonk on from the educational dept.

An anonymous reader writes "The Washington Post reports that a central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked. Several other UC campuses have also been involved in significant data security incidents over the past few years." From the article: "'To my knowledge, it's absolutely one of the largest,' Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times. Petersen said that in a Educause survey release in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised, the newspaper reported."

8 of 148 comments (clear)

  1. One way to help protect... by s31523 · · Score: 3, Insightful

    When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...

  2. Santa Claus says "security? ho ho ho!" by Toby+The+Economist · · Score: 5, Insightful

    Security is hard to get right because you have to get *everything* right.

    Make one mistake and you've got no security.

    As such, it is problematic to have vast databases of highly valuable information protected by "security".

    The result will be a constant flow of database violations.

    Unfortunately, by and large, the a database provides a large and ongoing bureaucratic benefit to an organisation, whereas the pain of data loss is primarily born by the people described by the database.

    The only response we have as individuals is to keep our details as secret as possible.

  3. Re:E-mail sent to UCLA students, faculty, and staf by lawpoop · · Score: 2, Insightful

    "I regret having to inform you that your name is in the database."

    He regrets having to inform us, not that they were hacked.

    --
    Computers are useless. They can only give you answers.
    -- Pablo Picasso
  4. Re:It's time to make the SSN database public by Chanc_Gorkon · · Score: 4, Insightful

    The SSN was never to be used as a identifier. PERIOD. It was only to be used for the Social Security System. It was banks and credit bureaus who made the SSN a identifier. The issue that the banks and credit bureaus confronted so many years ago was that they needed a unique way of identifying you for purposes of granting credit. The SSN was the only option as it was desgined from the get go to give you a unique number. Even now though, older SSN's are being reissued as people die off. The problem now is that the number is shown being used by a dead person.

    Unfortunately, there's no easy answer. SSN's already in use as an id and until something else better comes along, we have to use it. So what should we in IT do? First, reduce easy access to the number. When designing systems, issue a id that is unique and ONLY works with your system. If you need a way of identifying people in the real world, file the SSN and then reduce access to it. Only let the people who need that number have access to it. In the case of colleges, only financial aid and possibly select people records and registration need to see it. Everyone else MUST use the institution specific id.

    The big issue for some higher ed systems is that they used some unsecure methods for far too long. One system in particular up until about 2-3 years ago was using telnet in their client! It was not even SSL'd!

    --

    Gorkman

  5. Telling quote... by Anonymous Coward · · Score: 1, Insightful

    Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid.

    So, a single software flaw got them past "all security measures." Sounds like some heads need to roll, starting with Jim Davis'.

  6. Re:Santa Claus says "security? ho ho ho!" by canuck57 · · Score: 2, Insightful
    Security is hard to get right because you have to get *everything* right.

    You are assuming rational due diligence was in fact even attempted. These are institutions run by politicians.

    Make one mistake and you've got no security.

    Not if you have really done your homework. You NEVER rely on one system. When the second system catches a violation, you promptly deal with it.

    One has to ask, why did it take so long to notice? Think about all the others that are not even watching?

    Computer security is all about priorities, it isn't even technical. It is social/political.

    Assume your SSN is public knowledge. The root cause of this issue is those that use SSN numbers f''k peoples lives up after they didn't verify it was being used correctly in the first place. The fundamental problem he is financial institutions are not making sure they deal with the correct person before handing over money.

    Want to solve identity theft? Simple, put 100% of the onus on those that use it to make sure they are dealing with the right person when they use it. Make it a criminal offense with hefty fines and penalties for non-compliance. Make it cost ineffective for big credit to mess up. Because in reality, identity theft is a credit company issue. After a few dozen $10 million dollar settlements for incorrectly assigned $1000 collections the credit agencies will get the message.

  7. Re:wow! by ObsessiveMathsFreak · · Score: 5, Insightful
    800,000 people are going to be pissed as shit


    Correction.

    11 people are going to be pissed as shit.
    34 people are going to panic.
    72 people are going to wonder if the story is relevant to them.
    284 people aren't going to realise the story is relevant to them.

    799599 people affected aren't even going to hear about this, let alone care.

    There is a silent majority. It's silent because its too apathetic to speak.
    --
    May the Maths Be with you!
  8. Re:E-mail sent to UCLA students, faculty, and staf by Beryllium+Sphere(tm) · · Score: 3, Insightful

    Yes, should be the default, but you can't even get a security freeze unless you live in a state that forces the credit bureaus to do it. California is one.

    It should be illegal to treat the SSN as proof of identity anyway. What kind of password has the following properties?
    o Less than a billion possible values
    o Part of it based on your place of birth
    o You're required to disclose it to dozens or hundreds of places
    o Any credit-granting company can order a report and look at it
    o It never changes