From: InfoSec News (alertsinfosecnews.org)
Date: Fri Jan 11 2008 - 02:37:30 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.dailybruin.ucla.edu/news/2008/jan/10/database-breach-investigation-ongoing/

By Julia Erlandson,
Daily Bruin senior staff
January 10, 2008

One year after a breach of a university database compromised students
personal information, UCLA officials say they are continuing to track
the case and bolster security.

In December 2006, administrators alerted the campus community that a
hacker had accessed a UCLA database containing the names and Social
Security numbers of over 800,000 current and former students, as well as
faculty and staff members.

Though the database did not contain students credit card or bank
information, the hacker did appear to have accessed some Social Security
numbers, which can be used to steal a persons identity.

An ongoing investigation has found no evidence of identity theft
resulting from the breach, though affected students should still be
vigilant, said Jim Davis, associate vice chancellor for information
technology.

Since the incident, university officials have worked to protect students
Social Security numbers, Davis said.

UCLA needs Social Security numbers for financial aid purposes, since
they need to report information to the Internal Revenue Service. But
Davis said administrators have minimized the use of Social Security
numbers since the breach.

Weve found a number of places where we can limit and even eliminate the
use of Social Security numbers, he said.

He added that in cases where the university does not need to report to
the IRS, officials can often use other identifiers for students, such as
the last four digits of a Social Security number rather than the full
number.

Applicants to the university must submit their Social Security numbers,
but those numbers are deleted after two or three years, Davis said.
Still, at any given time university databases contain around 200,000
current and former applicants Social Security numbers.

UCLA has also continued its investigation into the security breach and
over the past year was able to unearth additional details, Davis said.

He said the investigation determined that the hacker gained access to
28,600 Social Security numbers, and those people were sent additional
notifications.

Over 18,000 of those numbers came from students financial aid
applications submitted between 2002 and 2006, according to a letter from
then-acting Chancellor Norman Abrams.

UCLA has also been working with the FBI, and investigators were able to
trace the hack to a foreign country, though there are no suspects.

Davis emphasized that the hack was extremely sophisticated, which makes
it more difficult to track.

So far, the hacker does not appear to have actually used any of the
Social Security numbers, though Davis said that is still a possibility.

We continue to be careful and monitor this, he said. Social Security
numbers are (sometimes) held for several years and then used.

Lowell Kepke, deputy director for the Social Security Administration in
San Francisco, said Social Security numbers can be used to open credit
in someone elses name, so potential victims should be on the lookout for
any odd credit card or bank activity.

Check credit card statements to make sure all the charges are really
yours, he said. If someone gets a specific sign that somebodys taken
their Social Security number and is really using it, call credit card
companies, banks, and call the three credit agencies (to alert them to
the fraud).

Kepke added that everyone is entitled to one free credit report per
year, available online at freecreditreport.com, a Web site that can
reveal whether there has been any fraudulent activity.

In the wake of the data breach, UCLA set up a Web site for concerned
students, and Davis said university officials continue to maintain and
update the site: www.identityalert.ucla.edu/index.htm.

On the Web site, Abrams encouraged affected students to place fraud
alerts on their credit accounts and to alert credit agencies.

Davis also emphasized personal responsibility in preventing identity
theft. Students should create non-obvious passwords, at least six
characters in length, and should never give out personal information.

He added that the university employs virus scanning to combat security
issues.

One of the most important ways servers get infiltrated is by viruses, he
said, adding that some key-logging viruses are able to record passwords
and other information typed onto a computer. Generally speaking the
machines on campus are monitored (for viruses) pretty carefully.

But he noted that security is an ongoing issue for any large university
or company.

We are continually under attack, he said. We are continually probed for
vulnerability ... in the high tens of thousands (of attempted hacks) per
day. Weve had some scares.

__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]