Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

UCLA Hacked, 800,000 Identities Exposed

Posted by Zonk on Tue Dec 12, 2006 08:39 AM
from the educational dept.
Security Education
An anonymous reader writes "The Washington Post reports that a central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked. Several other UC campuses have also been involved in significant data security incidents over the past few years." From the article: "'To my knowledge, it's absolutely one of the largest,' Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times. Petersen said that in a Educause survey release in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised, the newspaper reported."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

UCLA Hacked, 800,000 Identities Exposed 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • E-mail sent to UCLA students, faculty, and staff (Score:5, Informative)

    by George Maschke (699175) on Tuesday December 12 2006, @08:45AM (#17206832) Homepage

    December 12, 2006

    Dear Friend,

    UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA's current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current and some former faculty and staff at the University of California, Merced, and current and some former employees of the University of California Office of the President, for which UCLA does administrative processing.

    I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused.

    The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information.

    Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.

    In addition, UCLA has notified the FBI, which is conducting its own investigation. We began notifying those individuals in the affected database as soon as possible after determining that personal data was accessed and after we retrieved individual contact information.

    As a precaution, I recommend that you place a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent. For details on how to take these steps, please visit http://www.identityalert.ucla.edu/what_you_can_do. htm [ucla.edu].

    Extensive information on steps to protect against personal identity theft and fraud are on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http://www.privacy.ca.gov [ca.gov].

    Information also is available on a Web site we have established, http://www.identityalert.ucla.edu [ucla.edu]. The site includes additional information on this situation, further suggestions for monitoring your credit and links to state and federal resources. If you have questions about this incident and its implications, you may call our toll-free number, (877) 533-8082.

    Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to rel

    • A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent.

      Gee, it isn't that way by default? I would expect that that information too would be safeguarded...

      What are the credit implications for placing a freeze on that information? Does it affect credit scores in any way? If not, I would like to place one on my own, just for fact that I don't want anybody looking at that information withou

      • Yes, should be the default, but you can't even get a security freeze unless you live in a state that forces the credit bureaus to do it. California is one.

        It should be illegal to treat the SSN as proof of identity anyway. What kind of password has the following properties?
        o Less than a billion possible values
        o Part of it based on your place of birth
        o You're required to disclose it to dozens or hundreds of places
        o Any credit-granting company can order a report and look at it
        o It never changes
    • "I regret having to inform you that your name is in the database."

      He regrets having to inform us, not that they were hacked.

      • "I regret having to inform you that your name is in the database."

        He regrets having to inform us, not that they were hacked.
        For that matter, he doesn't even regret that your name was in the database -- only that he has to tell you about it.

  • One way to help protect... (Score:4, Insightful)

    by s31523 (926314) on Tuesday December 12 2006, @08:46AM (#17206840)
    When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...

    • Re: (Score:3, Interesting)

      by denebian devil (944045)

      When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...

      Except that would just mean that when the hackers get their spreadsheet full of information on 800,000 people, they just have to remember to look to the "SSN" column instead of the "Student ID" column to get the information they want. The school will still collect your SSN whether they use it as your ID or not. The question merely becomes whether it is your SSN or some randomly generated number that they put on your ID card.

      • Re:One way to help protect... (Score:4, Interesting)

        by s31523 (926314) on Tuesday December 12 2006, @09:03AM (#17207008)
        I actually refused to give my social security number to the school (again this was pre 9/11 and Patriot Act) because when I asked why they needed it they said for administrative purposes only. After my unwillingness to give it up they said, "well sir, we can assign you a generic ID number, but that will be really hard to remember and most students choose their soc. number because they can remember it. Are you sure you want to do this?". So, in my case the soc. sec. column had a generic number (which was 11 digits, instead of 9).
        • I don't see the argument for it being too hard to remember. Mind you, my student ID number was 7 digits and not 11, but having to remember an 11 digit number isn't that bad. It's no longer than a phone number with area and country code. Having to write my student number on every assignment, and test helped me remember my student number quite quickly. Although I could see them needing the social security number for tax purposes as tuition fees are tax deductible, at least in Canada.
      • When I was an international student at a US university, we were given university-issued SSNs before we got official temporary ones from the government. The university did not map between the two and we only had the non-official one associated with our accounts, which was basically an institution ID number, a student ID number and a lot of 'X' characters. There must be a provision at most universities to allow this already, so it would hopefully not be a huge leap to adjust their systems accordingly? As a no

      • I think, for the most part, you're right---if someone gets the right records (i.e. those that correlate SSN with ID#s), there's not much you can do.

        However, having non-SSN ID#s means that your SSN appears (or at least needs to appear) in fewer places in your records and on campus in general. The problem is that students use (or can at many places use) their IDs at the library, as a debit card, and the like, and having ID=SSN means having that information out there in a LOT of places.

        To take one example peo
      • SSN's required for Financial Aid and I think Selective Service registration proof is done the same way. Since school is so damn expensive, almost everyoen needs financial aid unless your Bill Gates or at the very least a millionare.

    • I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes.

      From the beginning actually. Cards say on 'em "Not to be used for ID" or something like that. However, it has always been a "mostly" unique number, so someone somewhere decided to start using it as a unique identifier in their database (or rolodex at that point most likely) and its just gotten worse since...
  • TFA doesn't mention what the "hack" was. My guess, the software (probably a website) is more of a hack than anything that was done to access the data.

    It's scary how much information is being reported as leaked every couple months.

  • Santa Claus says "security? ho ho ho!" (Score:5, Insightful)

    by Toby The Economist (811138) on Tuesday December 12 2006, @08:48AM (#17206880)
    Security is hard to get right because you have to get *everything* right.

    Make one mistake and you've got no security.

    As such, it is problematic to have vast databases of highly valuable information protected by "security".

    The result will be a constant flow of database violations.

    Unfortunately, by and large, the a database provides a large and ongoing bureaucratic benefit to an organisation, whereas the pain of data loss is primarily born by the people described by the database.

    The only response we have as individuals is to keep our details as secret as possible.

    • Security is hard to get right because you have to get *everything* right.

      Sort of. The problem with getting everything right is that you're dealing with non-physical concepts. If people were dealing with a physical structure it would be easier for them to understand and get it "right". Or at least closer to "right" than we currently see.

      For example, important physical records are kept in a safe. The safe is in someone's office. The office is locked. If someone sees someone else going through the safe, most o

    • Re: (Score:3, Insightful)

      by canuck57 (662392)

      Security is hard to get right because you have to get *everything* right.

      You are assuming rational due diligence was in fact even attempted. These are institutions run by politicians.

      Make one mistake and you've got no security.

      Not if you have really done your homework. You NEVER rely on one system. When the second system catches a violation, you promptly deal with it.

      One has to ask, why did it take so long to notice? Think about all the others that are not even watching?

      Computer security is all abo

    • Security is hard to get right because you have to get *everything* right. Make one mistake and you've got no security.

      I don't agree. Isn't one of the basic principles of security to use multiple layers? Firewall, IDS, TCP wrappers, strong passwords, etc. Insert various other security methods anywhere in the chain and you can be well defended. If I make a mistake in my firewall config, I should still be reasonably sure that I won't be totally compromised.

    • >Security is hard to get right because you have to get *everything* right.

      >Make one mistake and you've got no security.

      We're used to thinking that because good security design is so rare. Imagine if all ships and boats were guaranteed to sink the instant a hole opened in the hull. Good design contains failures. Maybe, just maybe, UCLA's database had a view that left out the SSNs and that almost all users were required to use. Anyone seriously think they did it that way? Not to mention how long it too

  • Good Target (Score:3, Interesting)

    by GreggBz (777373) on Tuesday December 12 2006, @08:57AM (#17206954) Homepage
    I imagine a University is the type of organization that kind of flies under the radar. Banks, hospitals, credit card companies, these are obvious repositories of personal information. UCLA, not so much. Factor that in with a large, old, complex computer network with volumes of historical data (Those of you that graduated 20 years ago can probably still get your transcript) and you are bound to have quite a bit of low hanging fruit.
    • Actually, universities have tons of data. Remember how you paid for school right? Financial Aid, Stafford Loans and more and you probably went right through the school to get it thanks to the grade requirements and more. Universities are famous for having alot of things on file and tons of unskilled labor who don't know any better (students and more).

  • It's time to make the SSN database public (Score:5, Interesting)

    by MightyYar (622222) on Tuesday December 12 2006, @08:59AM (#17206974)
    If the SSN database were public, the SSN would cease to become such a valuable target for identity thieves - systems would have to be changed to account for the public nature of the information. The SSN is fine as a unique identifier, but it should never have become a security tool.
    • The SSN was never to be used as a identifier. PERIOD. It was only to be used for the Social Security System. It was banks and credit bureaus who made the SSN a identifier. The issue that the banks and credit bureaus confronted so many years ago was that they needed a unique way of identifying you for purposes of granting credit. The SSN was the only option as it was desgined from the get go to give you a unique number. Even now though, older SSN's are being reissued as people die off. The problem now is that the number is shown being used by a dead person.

      Unfortunately, there's no easy answer. SSN's already in use as an id and until something else better comes along, we have to use it. So what should we in IT do? First, reduce easy access to the number. When designing systems, issue a id that is unique and ONLY works with your system. If you need a way of identifying people in the real world, file the SSN and then reduce access to it. Only let the people who need that number have access to it. In the case of colleges, only financial aid and possibly select people records and registration need to see it. Everyone else MUST use the institution specific id.

      The big issue for some higher ed systems is that they used some unsecure methods for far too long. One system in particular up until about 2-3 years ago was using telnet in their client! It was not even SSL'd!
      • IMHO, the big problem is that the SSN is not only treated as an ID, but also as a PASSWORD!!! It would be like me using "Cro Magnon" as my password, and wondering how my /. account got hacked! *runs off to change password*
      • Personally, I wouldn't mind seeing fingerprints, DNA or Retina Scan based systems.

        • Re: (Score:3, Informative)

          by swillden (191260) *

          Personally, I wouldn't mind seeing fingerprints, DNA or Retina Scan based systems.

          If you think getting your compromised social security number changed is hard, you should see what it takes to change your retinas. Or DNA...

          Biometrics are useful security tools, but you have to keep in mind that they are only passwords. They're convenient passwords, in that you can't forget them (though you *can* lose them!), and they're fairly high-entropy passwords as well, making them hard to guess. However, they're unchangeable passwords, and you leave copies of your fingerprints and DNA pretty w

      • Re: (Score:3, Informative)

        by Politburo (640618)
        Even now though, older SSN's are being reissued as people die off.

        Myth. SSA site [ssa.gov] (link may not work due to silly session cookies)

        We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 420 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

      • Re: (Score:3, Interesting)

        by Vreejack (68778)
        The military has used SSN's as a service number almost from the outset, and we actually used to use ours in our mailing addresses. It made delivering mail to highly mobile service members a lot easier. This practice was discouraged in the late 1980's, but as late as the late 1990's the list of US military officers and their SSN's was annually published by congress.

        Although the original legislation for SSN's states that it is not meant to be a sort of national identification number, this seems mainly aimed
    • "It's time to make the SSN database public"

      I thought it already was!

  • Students? (Score:4, Funny)

    by Lord_Dweomer (648696) on Tuesday December 12 2006, @08:59AM (#17206978) Homepage
    What sort of options do the students have at this point? Is the school in any way liable? Or is this just going to be one of those instances where they say "oops, we were hacked, so sorry but nothing we can do" and leave the students screwed (once again)?

    All I know is that the school better not be heavily promoting its computer security courses.

  • The scary thing.. (Score:3, Interesting)

    by bigattichouse (527527) on Tuesday December 12 2006, @09:02AM (#17207002) Homepage
    Isn't what people get out of such a breach, but what can be PUT IN.
    ohh.. look at Johnny's sparkly new Ph.d. or M.D.

  • What imdemnification did the software developers provide in the event of such an occurance.
  • At first glance, I thought the headline read ACLU. Now that would have stirred up a hornets' nest!

  • As an alumnus... (Score:3, Funny)

    by Otter (3800) on Tuesday December 12 2006, @09:10AM (#17207062) Journal
    ...I'm willing to cut them a lot of slack since the USC game. So let's call this one a wash. Go Bruins!

  • since, from (Score:4, Interesting)

    by minus_273 (174041) <aaaaa@SPAM.yahoo.cTEAom minus caffeine> on Tuesday December 12 2006, @09:25AM (#17207292) Journal
    "The data may have been available to hackers since October 2005 until November 21, 2006,"

    Am I the only one who cringes when he reads this sentence.
  • ...corporate types wonder why there are so many lawsuits. To effectively drop the ball on the security of almost a million students and then what you get as far as service is a letter saying "oops," it makes me glad that Bush couldn't get his "frivolous lawsuit" legislation through.

    Maybe when companies/organizations trusted with information that leak it start getting sued by the people they are "protecting."

    At my school they used the last 4 numbers of your social security number as part of your email. Org
    • as frivolous. Most frivolous lawsuits are created without the intent to win but instead to settle.

      This incident is negilgent, possibly bordering unto criminal if they can figure out if some people knew about it earlier. Seeing that their a school I wonder what their liability is? I didn't check but is UCLA still considered a government entity? If so they may be already protected by law. Lots of laws that come along that punish businesses purposely exclude government agencies from the very same.
  • what if they took the people who's information they obtained, and then dropped it from the server.

    For eaxmple - they only went after applicants, collected the information, and dropped it from the server. There would be no existing student/faculty to wonder why there data was missing, and on top of that, if they did it at the right time, there might not even be a backup to verify it was ever there. Thus, the victim gets no warning whatsoever, and the thief gets an even longer time to escape.

    I hope the invest
  • Definition of data Valdez [doubletongued.org], via a self-link.

  • Maybe actual fraud will end up fixing this? (Score:3, Interesting)

    by King_TJ (85913) on Tuesday December 12 2006, @09:46AM (#17207606) Homepage Journal
    Despite all of these large, high-profile security breaches of late, you don't hear a whole lot about people who actually became victims of fraud right afterwards. I'm sure it's happening, but it seems to be in the "best interest" of practically everyone EXCEPT the consumers owning the info to sweep it under the rug. (EG. "No problem sir! Just mail back the form we send you, detailing all the charges you didn't actually make on your VISA, and we'll take care of it. A new card is on its way out to you right away.")

    You'd think that at some point, just about everyone in the U.S. will need to put "fraud alerts" on their credit profiles!

    As bad as it sounds, I think it's going to take real financial losses of an almost unmanageable sort for the lenders and credit agencies to say "Enough!" and find new ways to protect consumer info.

  • pwned (tagging beta) (Score:3, Funny)

    by Dan Slotman (974474) on Tuesday December 12 2006, @11:44AM (#17209654)
    pwned (tagging beta)
    This represents everything wrong with slashdot. On the other hand, I'm still here...

  • Their hotline database is offline (Score:3, Interesting)

    by rbanzai (596355) on Tuesday December 12 2006, @01:39PM (#17211438)
    I went to UCLA in the 80s/90s and have called twice this morning and both times their hotline database was offline. Of course they say "uh, I think... yeah, the database is being updated, please call back in 10-15 minutes..." but when I worked at a call center "database is being updated" = "BROKEN!"

    • Re:wow! (Score:5, Interesting)

      by atrizzah (532135) on Tuesday December 12 2006, @08:47AM (#17206850)

      My name was on the list. Hooray!

      I was just about to submit this story myself. Here's UCLA's official website devoted to the whole incident: Link [ucla.edu]

      I wonder, will there be a point in time when we hold accountable either the credit agencies for their broken system or organizations we are forced to trust with our data for not keeping it safe?

      • Re:wow! (Score:4, Funny)

        by voice_of_all_reason (926702) on Tuesday December 12 2006, @09:10AM (#17207066)
        I wonder, will there be a point in time when we hold accountable either the credit agencies for their broken system or organizations we are forced to trust with our data for not keeping it safe? Sure. But it's up to you. Here's a handy guide for redressing your grievances: http://en.wikipedia.org/wiki/Storming_of_the_Basti lle [wikipedia.org]

      • Re:wow! (Score:5, Interesting)

        by pilgrim23 (716938) on Tuesday December 12 2006, @10:56AM (#17208802)
        There is only one possible way to protect yourselves these days: Lie. If someone needs your info, or SAYS they need your info ("I am sorry sir but our regulations clearly state you must fill out this form") then lie, fib, tell an untruth! For years I have always typoed a number or two on my SSN on forms, mis-spelled my name, screwed up the address, etc. I never commit outright fraud, but I DO use tecnhiques that will screw up their database. If more of us just smiled shrugged and said "oh well" to these data leeches in this simple manner, the problem would go away due to the general unreliability of the database,
    • 800,000 people are going to be pissed

      especially people like me who applied to the school years ago and never attended. why are they storing SSNs of people that are not students or employees? my info should have never been in there to steal in the first place.
      • Why did you give them your SSN when they had no use for it?
        • they did have a use for it, but after it was clear that i would not be attending UCLA they no longer had a need for it and should not have retained it.
    • 800,000 people are going to be pissed as shit


      Correction.

      11 people are going to be pissed as shit.
      34 people are going to panic.
      72 people are going to wonder if the story is relevant to them.
      284 people aren't going to realise the story is relevant to them.

      799599 people affected aren't even going to hear about this, let alone care.

      There is a silent majority. It's silent because its too apathetic to speak.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.