Slashdot Mirror
Break-In Compromises 160k Medical Records At UC Berkeley
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
Nothing is impossible. It just hasn't been figured out yet.
This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.
This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.
Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.
http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/
The email informing students of the breach was sent on May 8th. It was all over the news last Friday.
UC Berkeley using a BSD? That's highly illogical!
It's not just military-grade information that needs protecting.
If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.
With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.
For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.
I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".
The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...
When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.
It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn.
Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of touch with reality.
This is true of any of the places that are not authorized by law to require your ssn. So same applies to the others that are often brought up, such as utilities, and pretty much always applies to calculation of a deposit or interest rate.
I work for the Department of Redundancy Department.
So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.
I wish that were funny.
If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...
Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
</feeding the troll>
The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.
And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.
You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.