UCD: Other campuses reporting problems

April 5, 2005

By Sharon Stello

http://www.davisenterprise.com/articles/2005/04/05/news/270new0.txt



The names and Social Security numbers of about 1,100 UC Davis students, faculty, visiting speakers and staff may have been compromised when someone hacked into a main computer in the university's plant biology section last month.

Letters were sent to notify everyone whose personal information was stored on the computer. University officials said there's no evidence that any unauthorized individuals have actually retrieved or used any personal data on the computer.

However, as a precautionary measure, those who received letters were advised to call credit check companies to make sure they have not become the victims of identity theft.

The letter said, "We are bringing this incident to your attention so that you can be extra alert to signs of any possible misuse of your personal identity. We regret that your information may have been subject to unauthorized access and have taken remedial measures to ensure that this situation is not repeated."

Other universities have experienced similar problems in recent weeks.

Last Monday, administrators at UC Berkeley acknowledged that a computer laptop containing the names and Social Security numbers of nearly 100,000 people - mostly graduate school applicants - had been stolen.

Just three days earlier, Northwestern University reported that hackers who broke into computers at the Kellogg School of Management there may have had access to information on more than 21,000 students, faculty and alumni.

And one week before that, officials at Cal State Chico announced a breach that may have exposed personal information on 59,000 current, former and prospective students.

There is no evidence that any of the compromised information has been used to commit fraud. But these incidents seem to highlight the particular vulnerabilities of modern universities, which are heavily networked, widely accessible and brimming with sensitive data on millions of people, the New York Times News Service reports.

Carol Erickson, executive associate dean of UCD's Division of Biological Sciences, which includes the plant biology section, said new state law requires the university to notify people whose information may have been stolen in this type of security breach. Erickson said she's not aware of any identity theft cases stemming from the computer break-in.

"I'm suspecting nothing will come of it," Erickson said.

Bob Ono, UCD's information technology security coordinator, explained that workers were alerted to the security breach when they found files on the computer that they had not placed there.

Ono said someone apparently hacked into the computer through the Internet. He said although the computer served as a repository for historical files, there were no signs that any sensitive information had been accessed. He said the break-in was an unusual incident for the campus.

"We've been lucky," Ono said. "We've only had a few incidents of this nature."

Ono said nothing indicates any connection between the computer break-in at UCD and the similar incidents at other universities. He said it's nearly impossible to track down the person who hacked into the computer.

The campus is taking several steps to prevent such break-ins. Ono said these measures were in the works in response to the new state law rather than in reaction to the recent incident.

A letter was sent to campus administrators, to be distributed to everyone on campus, reminding them of the importance of protecting and securing personal information. And a new security policy, which recommends 14 computer security practices for all campus units, is expected to be adopted in the next few weeks.

UCD's letter to those whose information may have been compromised suggested steps that can be taken to protect against identity theft.

"First, you may place a fraud alert with credit bureaus and/or periodically run a credit report to ensure accounts have not been activated without your knowledge," the letter said. "If you determine that an account has been fraudulently established using your identity, you should contact law enforcement and the financial agency."

More information about identity theft is available from the Federal Trade Commission Web site, www.consumer.gov/idtheft. An Identify Theft Victim Checklist is available online at www.privacy.ca.gov/sheets/cis3english.htm.

Major credit bureaus include Equifax, at (800) 525-6285; Experian, at (888) 397-3742; and Trans Union, at (800) 680-7289. To report Social Security fraud, call the Social Security Administration fraud line at (800) 269-0271.


main page ATTRITION feedback