The database--whose purpose was not described in UCLA's statements--contained names, Social Security numbers, dates of birth, home addresses and contact information, but not banking and credit-card information nor driver's license numbers, the university said in a statement published on Tuesday. The database contained information on the school's current students, faculty and staff, some former students and applicants as well as some parents of those students that applied for financial aid.

The attacks occurred between October 2005 and November 2006, the university stated. The school took action on November 21, when network administrators noticed unauthorized activity, blocking further access to the database.

"In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications," Jim Davis, UCLA's chief information officer and associate vice chancellor for information technology, said in a statement announcing the breach. "We deeply regret the concern and inconvenience caused by this illegal activity. We have reconstructed and protected the compromised database and launched a comprehensive review of all computer security measures to accelerate systematic enhancements that were already in progress."

The database breach is the latest large-scale data theft in 2006. The theft of a laptop containing the personal information, including Social Security numbers, of nearly 26.5 million current and former members of the U.S. armed services in May marked the nadir of a year beset by privacy-threatening incidents. While a massive effort by U.S. law enforcement resulted in the recovery of the laptop, the incident caused the federal government to strengthen data security rules.

Other universities have also fallen afoul of online data thieves. The University of Texas at Austin warned in April that a database containing information on almost 200,000 students and staff had been breached by an unknown hacker. And, the University of California at Berkeley warned two years ago that a compromised laptop had put nearly 1.4 million Californians that had participated in state social programs at risk.

The spate of public breach disclosures has been driven by laws in 31 states requiring the mandatory notification of people whose identity is put at risk by a loss of data, said Beth Givens, director of the pro-consumer Privacy Rights Clearinghouse. While the laws are not perfect, they do force most companies that have suffered a database attack or lost a computer or storage media containing personal information to warn affected consumers.

Consumers should not take chances with fraud, Givens said.

"They are likely not to be victims of identity theft, but they can't take the chance," she said. "Especially when Social Security numbers are exposed, those individuals are at risk of identity theft."

The Privacy Rights Clearinghouse maintains a list of major data breaches publicly disclosed since February 2005. To date, nearly 100 million records have been put at--albeit uncertain--risk by data breaches, lost laptops and missing backup tapes, according the organization.

The overwhelming majority of those data breaches will not result in fraud, according to analyst firm Javelin Strategy & Research, which surveys the victims of identity fraud annually.

In an analysis released in August, the firm found that only 6 percent of all identity fraud--defined as someone using the victim's accounts or creating new accounts in the victim's name--where the source could be identified resulted from a breach. Looked at another way, only 0.8 percent of those alerted of a breach actually became the victim's of fraud, said Bruce Cundiff, senior analyst with Javelin Strategy & Research.

"The vast majority of victims of data breaches do not automatically become the victims of data fraud," Cundiff said. "The number you hear is 800,000, so you immediately think that 800,000 will become the victims of identity fraud. From the data we have gathered, that simply is not true."

It also depends on the exact details of the breach, he said. The thieves who stole the laptop from an employee of the U.S. Department of Veterans Affairs, for example, allegedly did not know, or care, about the data on the system, making it less likely that the data will be used for fraud. In another university breach, a flaw in the admissions database at the University of Southern California caused that school to notify nearly 280,000 students after a security researcher breached the school's Web application to demonstrate a vulnerability. The researcher, Eric McCarty, agreed to plead guilty to accessing the system--in total, seven records--without authorization and will be sentenced to three years of probation with a condition of 6 months of home detention, if the judge agrees to the terms. (corrected)

In the latest breach case, representatives of the University of California, Los Angeles stressed that the school is using an "abundance of caution" in warning people.

"UCLA is notifying all of those individuals in the database, even though a continuing investigation indicates that the computer trespasser sought and obtained only some of the information," the university said in a notice on its site. "There is no evidence to suggest that personal information has been misused."

The university also sent its warning letter to more than 3,000 staff and faculty of the University of California, Merced, as well as current or former employees of the University of California Office of the President. UCLA does administrative processing for the two offices.

CORRECTION: The article mistakenly referred to the the McCarty case as complete. While McCarty and prosecutors have come to a plea agreement, the judge has yet to rule on the agreement.