UCLA Hacked, 800,000 Identities Exposed

An anonymous reader writes "The Washington Post reports that a central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked. Several other UC campuses have also been involved in significant data security incidents over the past few years." From the article: "'To my knowledge, it's absolutely one of the largest,' Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times. Petersen said that in a Educause survey release in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised, the newspaper reported."

Re:wow!

[atrizzah]

My name was on the list. Hooray!

I was just about to submit this story myself. Here's UCLA's official website devoted to the whole incident: Link [ucla.edu]

I wonder, will there be a point in time when we hold accountable either the credit agencies for their broken system or organizations we are forced to trust with our data for not keeping it safe?

Re:One way to help protect...

[denebian devil]

When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...

Except that would just mean that when the hackers get their spreadsheet full of information on 800,000 people, they just have to remember to look to the "SSN" column instead of the "Student ID" column to get the information they want. The school will still collect your SSN whether they use it as your ID or not. The question merely becomes whether it is your SSN or some randomly generated number that they put on your ID card.

Good Target

[GreggBz]

I imagine a University is the type of organization that kind of flies under the radar. Banks, hospitals, credit card companies, these are obvious repositories of personal information. UCLA, not so much. Factor that in with a large, old, complex computer network with volumes of historical data (Those of you that graduated 20 years ago can probably still get your transcript) and you are bound to have quite a bit of low hanging fruit.

It's time to make the SSN database public

[MightyYar]

If the SSN database were public, the SSN would cease to become such a valuable target for identity thieves - systems would have to be changed to account for the public nature of the information. The SSN is fine as a unique identifier, but it should never have become a security tool.

The scary thing..

[bigattichouse]

Isn't what people get out of such a breach, but what can be PUT IN.
ohh.. look at Johnny's sparkly new Ph.d. or M.D.

Re:One way to help protect...

[s31523]

I actually refused to give my social security number to the school (again this was pre 9/11 and Patriot Act) because when I asked why they needed it they said for administrative purposes only. After my unwillingness to give it up they said, "well sir, we can assign you a generic ID number, but that will be really hard to remember and most students choose their soc. number because they can remember it. Are you sure you want to do this?". So, in my case the soc. sec. column had a generic number (which was 11 digits, instead of 9).

since, from

[minus_273]

"The data may have been available to hackers since October 2005 until November 21, 2006,"

Am I the only one who cringes when he reads this sentence.

Maybe actual fraud will end up fixing this?

[King_TJ]

Despite all of these large, high-profile security breaches of late, you don't hear a whole lot about people who actually became victims of fraud right afterwards. I'm sure it's happening, but it seems to be in the "best interest" of practically everyone EXCEPT the consumers owning the info to sweep it under the rug. (EG. "No problem sir! Just mail back the form we send you, detailing all the charges you didn't actually make on your VISA, and we'll take care of it. A new card is on its way out to you right away.")

You'd think that at some point, just about everyone in the U.S. will need to put "fraud alerts" on their credit profiles!

As bad as it sounds, I think it's going to take real financial losses of an almost unmanageable sort for the lenders and credit agencies to say "Enough!" and find new ways to protect consumer info.

Re:E-mail sent to UCLA students, faculty, and staf

[thePowerOfGrayskull]

"I regret having to inform you that your name is in the database."

He regrets having to inform us, not that they were hacked.

For that matter, he doesn't even regret that your name was in the database -- only that he has to tell you about it.

Re:wow!

[Anonymous Coward]

This isn't going to show up on your monthly bank statement.

Criminals typically do one of three things with a Name/DOB/SSN:

1) Try to obtain credit in your name
2) Open a bank account and use it for money laundering, bogus checks, ebay fraud, and various other scams
3) Give your info when they get arrested

1) will show up on your credit report eventually. With 2) or 3) you might not find out about it for awhile.

Re:wow!

[pilgrim23]

There is only one possible way to protect yourselves these days: Lie. If someone needs your info, or SAYS they need your info ("I am sorry sir but our regulations clearly state you must fill out this form") then lie, fib, tell an untruth! For years I have always typoed a number or two on my SSN on forms, mis-spelled my name, screwed up the address, etc. I never commit outright fraud, but I DO use tecnhiques that will screw up their database. If more of us just smiled shrugged and said "oh well" to these data leeches in this simple manner, the problem would go away due to the general unreliability of the database,

Re:It's time to make the SSN database public

[Vreejack]

The military has used SSN's as a service number almost from the outset, and we actually used to use ours in our mailing addresses. It made delivering mail to highly mobile service members a lot easier. This practice was discouraged in the late 1980's, but as late as the late 1990's the list of US military officers and their SSN's was annually published by congress.

Although the original legislation for SSN's states that it is not meant to be a sort of national identification number, this seems mainly aimed at evangelical Christians who identified such a thing with some passages from the Revelation of John. It wasn't until the communist and fascist regimes of Stalin and Hitler demonstrated the possibility of total control that secular fears of Big Brother began to surface.

The reality of the SSN is that--being as it is a guaranteed unique name--it is extremely useful as an ID. But using it as a password is absolutely asinine. The sad truth is that criminals are more likely to know a victim's social security number than the victim is.

Re:Students?

[LouisJBouchard]

No one has the right to sue unless an actual crime against the student took place. My SSN was possible stolen from a new employee state database recently (used to determine if someone owes child support they are skipping out on) and the attitude was that since the information was not used yet, we were on our own to protect ourselves. The police even refused to take a report because as far as they were concerned, the only victim was the state agency (never mind the cost and effort I had to go through to protect my current accounts and verify that someone has/is not using my information to commit a crime).

I think that once places that hold information are held responsible (even if it is to pay for credit monitoring for 2 years for anyone whose information could have been stolen), then we will see a real concern about security. Right now, all anyone has to pay for is postage to notify a person and time to investigate. In this case for example, if UCLA had to pay for credit monitoring for 800,000 people for 2 years (at about $100/year/person), I am sure $160,000,000 would force them to make sure this does not happen again. Otherwise, we will hear more stories of this type.
 

Their hotline database is offline

[rbanzai]

I went to UCLA in the 80s/90s and have called twice this morning and both times their hotline database was offline. Of course they say "uh, I think... yeah, the database is being updated, please call back in 10-15 minutes..." but when I worked at a call center "database is being updated" = "BROKEN!"