The University of California at Berkeley started warning students and alumni on Friday that online thieves infiltrated the school's restricted servers and stole medical records on more than 160,000 individuals.
The database exposed by the breach held information on UC Berkeley's students, alumni and staff, including health insurance information and Social Security numbers, the university said in a statement. The breach lasted from October 9, 2008 to April 9, 2009 (corrected), when campus administrators performing maintenance on the systems detected the intrusion. Early evidence uncovered in the investigation suggests the attack came from overseas and accessed the secured databases by compromising a public Web site run on the same server.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," Shelton Waggener, UC Berkeley's associate vice chancellor for information technology, said in the statement. "We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."
The breach is not the first time that UC Berkeley has had to deal with a massive data loss. In 2004, California's Health and Human Services Agency announced that up to 1.4 million people may have had their records stolen from a database stored on a school computer. The University of California at Los Angeles told students and others that hackers had stolen as many as 800,000 records containing Social Security numbers, dates of birth, home addresses and contact information. While quite a few colleges have suffered large breaches, intrusions into payment-processor networks over the past few years have dwarfed those losses.
The data stolen from UC Berkeley includes health data of the school's students and alumni — and their parents or spouses, in many cases — who received benefits through University Health Services as well as approximately 3,400 students of Mills College in Oakland, Calif., who were eligible to receive benefits.
CORRECTION: The dates between which UC Berkeley believes attackers were in their systems had their years reversed in the original article. UC Berkeley believes the attack began on October 9, 2008 and ended on April 9, 2009.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos