UCLA break-in puts data on 800,000 at risk

In one of the largest known security breaches at a university, the database at the University of California, Los Angeles has been broken into, exposing the private information of about 800,000 people.

Administrators discovered November 21 that the database had been compromised, according to a letter dated Tuesday that was posted to the university's Web site (PDF here). The hacker had exploited a previously undetected software flaw and gained access to the database from October 2005 until the discovery, Norman Abrams, acting UCLA chancellor, said in the letter.

"While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers," Abrams said.

The breach affects UCLA students, staff, applicants and some students' parents. It also included information on current and some former faculty and staff at the University of California, Merced, and at the University of California Office of the President.

Sensitive information stored in the database included Social Security numbers, home addresses, dates of birth and contact information. Financial information, such as credit card numbers or bank accounts, was not housed in the database.

When the illicit activity was discovered, university staff immediately blocked access to Social Security numbers housed in the database and began an investigation, UCLA said. The database normally operates under restricted access and requires a password from authorized users, it said. In addition, the institution said it began notifying all those affected as well as the FBI, which has launched its own investigation.

UCLA's security breach is among the largest to hit a university. Earlier this year, for example, Western Illinois University suffered a hacker attack that compromised the personal information of 180,000 people, and Ohio University found three of its servers, one of which contained 137,000 Social Security numbers, had been compromised.

Last year, the University of Southern California suffered a security breach of a database containing personal information on 275,000 applicants over an eight-year period.

For a number of universities and colleges, balancing security with the free flow of information particular to institutions of higher learning is a challenge, as open computer networks can be more vulnerable than a corporate network, security experts have said.

[wbenton]

Say What???

We're talking about a 14 month ago break in which was discovered 13 months after the break in.

If we were back in 1985 or even 1995, I might have not been that surprised, but that amount of data hacked in 2005????

As of the year 2000, there were 37,460 applicants. The actual number of students I'm sure is much less, but even calculating at the grossly inflated figure of 37,460 per year... 800,000 records would amount to roughly over 21 years worth of student records.

WHAT IN THE WORLD IS ANY UNIVERSITY DOING KEEPING SUCH OLD DATA ONLINE SUCH THAT IT CAN BE HACKED???

UCLA = Unbelievable Computer Lax Administration

There IS NO EXPLANATION FOR THIS!!! Absurdity... YES... INSANE... YES... Down Right SHAMEFUL... YES...

Total idiotic nincompoops to say the least!!!

Walt