The University of California, Los Angeles alerted about 800,000 current and former students, faculty, and staff on Dec. 12 that their names and certain personal information were exposed after a hacker circumvented security and broke into a campus database. Only a small percentage–“far less than 5 percent”–of the records in the database were actually accessed, UCLA spokesman Jim Davis told the Associated Press.
Still, it was one of the largest such computer security breaches ever involving a U.S. school.
The attacks on the database began in October 2005 and ended Nov. 21 of last year, when computer security technicians noticed suspicious database queries, according to a statement posted on a school web site set up to answer questions about the theft. Davis said the hacker used a program designed to exploit an undetected software flaw to bypass security systems and get into the restricted database, which has information on current and former students, faculty, and staff, as well as some student applicants and parents of students or applicants who applied for financial aid.
“In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications,” he said in a statement.
Fortunately, many of the records in the database do not link names and Social Security numbers–the two pieces of information the hacker was after, Davis said. The university’s investigation so far shows only that the hacker sought and obtained some of the Social Security numbers. But out of caution, the school said, it was contacting everyone listed in the database.
Acting Chancellor Norman Abrams said in a letter posted on the site that while the database includes Social Security numbers, home addresses, and birth dates, there was no evidence that any data have been misused.
The letter suggests, however, that recipients contact credit reporting agencies and take steps to minimize the risk of potential identity theft. The database does not include driver’s license numbers or credit card or banking information.
“We have a responsibility to safeguard personal information, an obligation that we take very seriously,” Abrams wrote. “I deeply regret any concern or inconvenience this incident may cause you.”
The breach is among the latest involving universities, financial institutions, private companies, and government agencies. But security experts said the UCLA breach, in the sheer number of people affected, appeared to be among the largest at an American college or university.
“To my knowledge, it’s absolutely one of the largest,” Rodney Petersen, security task force coordinator for Educause, a nonprofit higher-education association, told the Los Angeles Times.
Petersen said that in an Educause survey released in October, about a quarter of 400 colleges said that they had experienced a security incident in which confidential information was compromised during the previous 12 months.
In 2005, a database at the University of Southern California was hacked, exposing the records of 270,000 individuals.
And last April, Ohio University announced the first of what would be identified as five cases of data theft, affecting thousands of students, alumni, and employees–including the school’s president. About 173,000 Social Security numbers might have been stolen since March 2005, along with names, birth dates, medical records, and home addresses, school officials said.
In November, an Ohio University official upheld the firing of two school administrators over the security breaches.
Tom Reid, former director of communication network services, and Todd Acheson, former UNIX systems manager, were fired in July. In letters sent November 15 to Reid and Acheson, university Provost Kathy Krendl said they failed in their responsibility of designing and maintaining a secure network.
Reid and Acheson filed grievances in August, and a university grievance committee in October recommended their reinstatement. The committee said the two men deserved apologies and new jobs, because evidence showed they had worked to prevent electronic break-ins on school computers and were incorrectly blamed for lapsed security.
The committee’s report faulted other university officials for not reorganizing the school’s computer systems and for leaving security responsibilities unclear.
Acheson’s attorney said Krendl should not have been involved in deciding the matter, because she was part of the administration that caused the problem.