From: InfoSec News (alertsinfosecnews.org)
Date: Mon Jan 08 2007 - 03:07:36 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.ocregister.com/ocregister/news/homepage/article_1537469.php

By MARLA JO FISHER
The Orange County Register
January 7, 2007

LAGUNA NIGUEL -- Lee Steidel was a bit mystified when she got four new
credit cards in the mail, but she figured with the holidays coming up,
maybe she could use them.

A few days later she got the statements at her home in Laguna Niguel.
Someone had stolen her identity and charged $8,000 on cards in her name.

To add insult to injury, the thieves signed up for "credit protection"
on a Macy's card and donated $25 to charity.

Steidel began the long, tedious process of reporting the thefts and
repairing her credit, without any idea of how they could have happened.

On Dec. 12, she was among 800,000 people notified that their personal
information could have been stolen from a database at UCLA in the past
year.

It was the largest campus security breach in history. Thieves had hacked
into UCLA's huge database and mined Social Security numbers for months
without detection.

"I can't prove my identity was stolen from this UCLA break-in, but it
certainly is quite a coincidence," said Steidel, a real estate appraiser
who took a UCLA extension class in Westwood last summer.

UCLA spokesman Phil Hampton said the university is unsure how many
people's Social Security numbers were stolen but that it was probably
"in the 5 percent range" of the 800,000 people in the database.

That would be 40,000 people.

The hacker was able to exploit a previously unknown vulnerability in
UCLA's security system to access the database with names, Social
Security numbers, birth dates, home addresses and contact information.

The database had information about current and former students, faculty
and staff members, some student applicants and some parents or students
who applied for financial aid. Some UC Merced and Office of the
President staff members also were affected.

According to UCLA, the security breach was found Nov. 21 when
technicians noticed unusual activity.

"This was a sophisticated hacker who was able to cover his or her tracks
very well, access the database and bypass our diligent security
measures," Hampton said.

The FBI is investigating the break-in, he said.

"We are encouraging people who believe they are victims to file reports
with the FBI or local law enforcement," Hampton said.

UCLA set up a Web site, www.identityalert.ucla.edu, with information,
and a toll-free hot line, 877-533-8082.

By the third week in December, the hot line had answered about 30,000
calls on the subject, Hampton said.

On the day that UCLA says it discovered the break-in, UCLA Today
magazine ran an article on the new director of campus computer security
under the headline, "IT Expert Protects Campus From Cyber Attacks."

College databases are attractive to hackers because they typically have
Social Security numbers. The federal government requires students who
apply for financial aid to use their Social Security numbers as
identifiers, so colleges must keep them on file.

Also, many colleges have used Social Security numbers to identify
students. To prevent identify theft, a state law is ending that practice
in California.

UC Irvine records were not involved in the break-in. No one at UCI would
talk about computer breaches there, but the campus issued a statement
saying that a few minor incidents had occurred in the past.

"In our case, all the incidents were addressed, which of course included
notifying those affected," UCI spokesman Jim Cohen said in the
statement. "This is a threat institutions such as UCI face every day and
we suspect that no institution of our size, despite everyone's efforts,
has proved invulnerable."

Cal State Fullerton stopped using Social Security numbers as student IDs
in 2004, replacing them with different nine-digit numbers.

Cal State Fullerton's chief information technology officer, Amir
Dabirian, said the campus security system repelled 270 million attempts
to penetrate its firewalls last year from Internet attacks, viruses and
hackers.

"We do the best we can," Dabirian said. "If you don't monitor the system
very closely for breaches, you could have the system breached and not
know it."

UCLA's case is the kind of scenario that keeps Dabirian and his peers up
at night.

He said one mistake UCLA probably made was maintaining such a large
database filled with personal information on not only students but also
alumni and parents.

"Obviously, they don't have 800,000 students there. It is something we
looked at a long time ago and removed our alumni from" the student
database, Dabirian said. "We don't keep Social Security numbers in our
alumni database. Other institutions should also aggressively take those
out.

"I think they have done the best they can. Unfortunately, this incident
proves you can't be perfect," he said.

Steidel's problems occurred in October, when charge accounts were opened
in her name in the San Fernando Valley, mostly around Northridge. The
thieves had created bogus driver's licenses to match her name and used
her real address to open the accounts at J.C. Penney, Macy's and Best
Buy.

Steidel uses K. Lee Steidel as her legal name, and one thief simply made
up a driver's license as "Kenneth Steidel."

They used their instant store credit to buy thousands of dollars in gift
cards and, at Macy's, an $894 Coach purse.

"I don't even carry a purse," Steidel said.

Macy's even closed her existing, legitimate account in favor of the new,
fraudulent account.

At Sears, the thief was notified that Steidel already had an account,
which he then used to buy $3,500 in gift cards, using a fake driver's
license.

Sears issued a statement saying it takes "the security of our customers'
information very seriously."

The purchases at J.C. Penney qualified Steidel for "Privilege Gold" card
status, which she learned when she got a new card in her mailbox.

Responding to a reporter's query, a spokesman for GE Money, which
operates Penney's credit-card program, said in a statement that Steidel
"was not held liable for any fraudulent charges, and the account was
closed."

The only store that turned the thieves down was Target something she
learned after receiving a rejection letter addressed to Kenneth Steidel.

"I must applaud Target. It was the only retailer who checked the
application and declined, thank goodness," she said.

Steidel said she was unable to get answers on the UCLA hot line, so she
called UCLA's legal counsel office. She wanted to know why a hacker had
been able to break into the university's system for 13 months without
detection.

Steidel said a lawyer at UCLA told her the problem was uncovered when
technicians noticed a significant number of records being transferred to
China. Forensic experts found retroactive break-ins, she said.

UCLA spokesman Hampton was unable to confirm Steidel's information about
the break-ins.

She said the university was not offering financial assistance to
victims.

"I have spent 76 hours working on this so far," Steidel said. "I
contacted all the creditors' fraud departments, and then you have to
file a crime report with the sheriff."

While the fraudulent charges will be removed from her bills, she can't
buy the new car she wants because of the fraud alerts on her credit
reports and the high debts her credit report shows.

"I think we should get free classes for the rest of our lives for this,"
Steidel said.

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]