UC Berkeley computers hacked, 160,000 at risk

This post was updated at 2:16 p.m. PDT with comment from an outside database security software vendor.

Hackers broke into the University of California at Berkeley's health services center computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced Friday.

At particular risk of identity theft are some 97,000 individuals whose Social Security numbers were accessed in the breach, but it's still unclear whether hackers were able to match up those SSNs with individual names, Shelton Waggener, UCB's chief technology officer, said in a press conference Friday afternoon.

(Credit: University of California at Berkeley)

The attackers accessed a public Web site and then bypassed additional secured databases stored on the same server. In addition to SSNs, the databases contained health insurance information and non-treatment medical information, such as immunization records and names of doctors patients had seen. No medical records (i.e. patient diagnoses, treatments, and therapies) were taken, as they are stored in a separate system, emphasized Steve Lustig, associate vice chancellor for health and human services.

"Their ID has not been stolen," he added. "Some data has been stolen."

The server breach began on October 9, 2008, and continued through April 9, when a campus computer administrator doing routine maintenance discovered messages left by the attackers. Logs indicate that the hacks originated from overseas, "primarily in the Asian theater," Waggener said, later specifying traces to China.

While campus police and the FBI were immediately notified of the breach, it wasn't until April 21, Waggener said, that officials learned data had been stolen. Since then, the focus of the investigation has been figuring out what was taken and who is at risk. The hackers' specific techniques are still being determined as part of the ongoing criminal investigation, he said.

From the looks of it, however, one outside database security software vendor, Sentrigo CTO Slavik Markovich, suspects an SQL injection, in which a small malicious script is inserted into a database that feeds information to the Web site. Markovich also questions whether the university has appropriate monitoring tools in place to have not noticed the hack for six months, and why it hosted data with different levels of sensitivity on the same server.

The university started notifying the 160,000 people at risk via e-mail and snail mail on Friday. Victims include an assortment of current and former Berkeley students--as well as their parents or spouses, if linked to insurance coverage--who had University Health Services health care coverage or received services. Also included are 3,400 students of Mills College in Oakland, Calif., which contracts with the university for health services.

The university has warned those affected to put a fraud alert on their credit reporting accounts. It has also set up a Web site and hotline to help the victims.

In 2005, a PC was stolen from a Berkeley graduate admission office that held sensitive data on some 98,000 people, stretching back three decades. And the university has dealt with security viruses and the like, Waggener said. But this was the first such server breach.

With this, Waggener said, Berkeley joins a long list of prestigious institutions suffering from such increasingly sophisticated and malicious attacks. "We're defending against attacks from around the world," he said.

[42istheanswer]

Wow. All I can say is the best defense against all this is to simply unplug the servers and go home. End of problem.

[gggg sssss]

One assumes that this was NOT a Windows server and NOT MS SQLserver. Curious.

[monkeyfun14]

Oh of course not if it was Cnet would be sure to point that out. xDD

[rapier1]

Why is it curious? Unix systems and non-MS databases get hacked all the time. Its not like other operating systems are immune to buffer overflows and sql injections.

[Mr. Dee]

One assumes if its SQL Injection, its associated with MS SQL Server, Oracle databases and most databases are based on SQL.

[rapier1]

Ummm... Mr. Dee I'm not sure I follow your logic. Any DB that uses SQL would potentially be subject to an SQL injection.

[Ilgaz]

hmm if CNET didn't mention the SQL server brand... What could it be? ;)

[gggg sssss]

Cant resist - I think they can get educational pricing from Microsoft.

[dargon19888]

Stupidity at its best.

People need to be paranoid and it means spending $$$ for security.

[rapier1]

Not stupid as much as lazy and complacent.

[sundance808]

"The attackers accessed a public Web site and then bypassed additional secured databases stored on the same server.".. which is a recipe for disaster.

[dennisl59]

And here I thought that the smartest people in the world worked in the UC Berkeley Data Center. The same server hosts a "Public Web Site" and "Secured Databases". I guess whoever set this up missed the class on Security 101. They were probably out protesting something or getting high. MORONS.

[SixString16]

WOW- "The attackers accessed a public Web site and then bypassed additional secured databases stored on the same server. " --- The SAME server??? I don't care what platform you're running - why are there "secured" databases running on a web server.

Who's the hack that put this environment together?

[SiliconDragon]

I work at a university and the stuff that goes on is dumb founding sometimes. I've seen not just possible, but known security threats brushed off because "they are too expensive to fix" or because it would interfere with "academic freedom" (aka it would inconvenience a faculty member). To get anything done is like running for office with the amount of politics that goes on. Most universities are also well behind everyone else on the technology front.

Having a database server installed on a web server is a bit surprising. I would have thought that would have been on an Oracle database on a backend server. The fact a publicly available website could access the database is not surprising thou, even if it was backend.

[therealgeeves]

I think the security of server is a human error in this case - if a website can access a secure database on the same server this is an info-tech consultants fault.

Someone is either overworked or does not understand security...

[dennisl59]

Local H1-B's in charge, with Remote Systems Management outsourced to India.

OR just some knucklheads getting too high to care.

Either way, all have Masters in Computer Science from UC Berkeley. Looks good on the resume'!!!

Take your pick.

[ucbstudent]

Hi, I'm a UCB student and received the email. I called to hotline and they confirmed my name was on the list. This happened to me before in 2004 when a laptop was stolen at UCB with all the graduate student info (social security #s, etc.). If a class action lawsuit has not already been started, I want to start one.

I have been dealing with identity theft and it is a serious life consuming pain. This is the 3rd time this has happened since I've been at UCB. This is RIDICULOUS!!

Contact me at UCBClassActionLawsuit@gmail.com
If one has already been started, please let me know, so I can join. Thanks!

[dennisl59]

Recommendation: Transfer to another school. It's failing in it's responsiblilty so why give them $$$?

[Ilgaz]

Lets hope the birth place of BSD wasn't bribed by MS to use their systems instead. It would be really sad story and a good lesson.

[johnfranks1234]

Most companies enjoy ?security? insofar as they haven?t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon?s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture ? absent new eCulture, breaches will, and continue to, increase. As CIO, I?m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome ? or propagate one.

[idfubar]

Why should the University of California have its name dragged through the mud as a result of a failure of employees of the state to properly secure information? Why should the state of California (the birthplace of the computer revolution) have nothing to offer its own government by way of managed IT services so the state is not (a) doing this work itself and (b) not sending the funds to Amazon (in Seattle) or Accenture (Bermuda)!

Instead, what we have is a media which is ready to seize upon hysteria and a public which knows nothing better than to pontificate and threaten to sue; maybe when the state goes bankrupt we'll start to grow up...