October 20, 2004 5:36 PM PDT

Online attack puts 1.4 million records at risk

An August intrusion into a social researcher's computer may mean that more than a million Californians need to call the credit bureaus.

On Tuesday, the California Department of Social Services warned the providers and recipients of the state's In Home Support Services (IHSS) that their names, addresses, telephone numbers, Social Security numbers and dates of birth may be circulating the Internet. IHSS allows individuals to get paid for providing in-home care to senior citizens.

The warning comes after an unknown attacker slipped in through a security hole in a social researcher's unsecured computer at the University of California, Berkeley, on Aug. 1, perhaps making off with 1.4 million database records containing personal information. The researcher noticed the trespass on Aug. 30 and the university notified the state in mid-September.

Data Intrusion
•  Incident: Personal records on a UC Berkeley computer may have been compromised
•  Affected: Up to 1.4 million providers and clients of the California Department of Social Services
•  So far: The state says there's no sign the data was stolen or misused
•  Steps: Those affected are warned to contact the major credit bureaus and put warnings on their credit card accounts
•  For more information: See the DSS site.

"We have only determined that the computer itself was accessed," said Carlos Ramos, assistant secretary at the California Health and Human Services Agency. "We haven't determined that the data was accessed."

The FBI and the California Highway Patrol--the state police agency--are investigating the incident, the California DSS stated.

The intrusion is not the first to net personal information at a university. A laptop stolen from the University of California, Los Angeles, exposed about 145,000 people's data. Last year, the Georgia Institute of Technology and the University of Texas at Austin fell prey to online attackers. The California Employment Development Department also may have exposed 55,000 names in February.

In the latest case, a UC Berkeley researcher had lawfully obtained the information as part of a research project into the effectiveness of the IHSS program. However, he had not followed policy that specified that sensitive information, such as Social Security numbers, be removed from the database.

The participants may not have known that their information would be shared, but the DSS is allowed by law to share the information for the purpose of research.

While about 1.4 million records may have been compromised, there also may have been many duplicates, Ramos said. The researcher had the initial database and several updates that brought the total to 1.4 million records, but many of the updates may have been updates of earlier personal information already in the database, he said.

The state stressed in its statement that officials had not received any information indicating that identity theft or misuse of data had occurred. However, the state also recommended that members of the IHSS program contact the three credit bureaus and place a fraud alert on their credit accounts.

A recent survey of online users found that 80 percent are concerned that someone may steal their identity. The survey, fielded by pollster Greenfield Online and security firm Entrust, found that 65 percent of respondents said increased identity protection would influence their decision in selecting a financial institution.

The California government's recommendations for potential victims of the data theft underscore how little people can do to curb the illegal use of their information. While putting credit accounts on fraud alert may make it harder to co-opt financial accounts, forget trying to change a Social Security number, the DSS stated.

"There are drawbacks to doing so, since it may result in losing your credit history, your academic records and professional degrees," the department said in a statement. "The absence of any credit history under a new SSN would make it difficult to get credit, continue college, rent an apartment, open a bank account, get health insurance... In most cases, getting a new SSN would not be a good idea."

See more CNET content tagged:
bureau, decision support system, researcher, personal information, social security number

2 comments

Join the conversation!
Add your comment
The owner of the database is responsible for protecting the data
I don't buy the California DSS's line that it's up to the researcher to delete the sensitive data. It's up to the DSS to strip that data out before it is provided, and I hope governor Ahnuld takes someone to the woodshed over this one. At the end of the day nobody in any industry using databases really makes it their business to protect what they've got, and that's one reason the tech industry can never escape the hand of government regulation. Sooner or later the boneheads spoil it for everyone.
Posted by Razzl (1318 comments )
Reply Link Flag
Basic Security??
From UCLA, via Berkley to Georgia to wherever the next theft occurs, there has to be an answer. I teach basic--i.e. "Basic" Security Seminars for the University of Maryland besides higher level Security courses. Precept #l: Always secure your equipment--that means lock it up!!

There is sense going into the importance of "Defense in Depth" concepts until the Universities and Banks, etc..learn this.
Lock up your Laptops, sign them in, sign them out--nothing arcane or complex.

First things first--PHysical security, time to get busy!!

Sicerely,

J.P. McNellie, M.Ed., MCSe, GSEC, N+
Posted by (1 comment )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.