, SecurityFocus 2006-12-12
The University of California, Los Angeles warned students, parents, faculty and staff on Tuesday that they may be at risk of identity fraud after an unknown attacker breached a university-administered database containing personal information on approximately 800,000 people.
The database--whose purpose was not described in UCLA's statements--contained names, Social Security numbers, dates of birth, home addresses and contact information, but not banking and credit-card information nor driver's license numbers, the university said in a statement published on Tuesday. The database contained information on the school's current students, faculty and staff, some former students and applicants as well as some parents of those students that applied for financial aid.
The attacks occurred between October 2005 and November 2006, the university stated. The school took action on November 21, when network administrators noticed unauthorized activity, blocking further access to the database.
"In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications," Jim Davis, UCLA's chief information officer and associate vice chancellor for information technology, said in a statement announcing the breach. "We deeply regret the concern and inconvenience caused by this illegal activity. We have reconstructed and protected the compromised database and launched a comprehensive review of all computer security measures to accelerate systematic enhancements that were already in progress."
The database breach is the latest large-scale data theft in 2006. The theft of a laptop containing the personal information, including Social Security numbers, of nearly 26.5 million current and former members of the U.S. armed services in May marked the nadir of a year beset by privacy-threatening incidents. While a massive effort by U.S. law enforcement resulted in the recovery of the laptop, the incident caused the federal government to strengthen data security rules.
Other universities have also fallen afoul of online data thieves. The University of Texas at Austin warned in April that a database containing information on almost 200,000 students and staff had been breached by an unknown hacker. And, the University of California at Berkeley warned two years ago that a compromised laptop had put nearly 1.4 million Californians that had participated in state social programs at risk.
The spate of public breach disclosures has been driven by laws in 31 states requiring the mandatory notification of people whose identity is put at risk by a loss of data, said Beth Givens, director of the pro-consumer Privacy Rights Clearinghouse. While the laws are not perfect, they do force most companies that have suffered a database attack or lost a computer or storage media containing personal information to warn affected consumers.
Consumers should not take chances with fraud, Givens said.
"They are likely not to be victims of identity theft, but they can't take the chance," she said. "Especially when Social Security numbers are exposed, those individuals are at risk of identity theft."