The University of California has suffered yet another potential data breach, this one involving the names and Social Security numbers of about 7, 000 students, faculty and staff at the San Francisco campus.
For Sen. Diane Feinstein, D-Calif., enough is enough. She told me Tuesday that she'll introduce federal legislation within the next few days requiring encryption of all data stored for commercial purposes.
"What this shows is that there is enormous sloppy handling of personal data," Feinstein said.
This latest incident involving UCSF follows news that UC Berkeley lost control of personal info for nearly 100,000 grad students, alumni and applicants last month when a laptop computer was stolen from an unlocked campus office.
It also follows a flurry of other security lapses, including San Francisco's Wells Fargo, the nation's fourth-largest bank, experiencing no fewer than three data breaches due to stolen computers over the past year and a half.
In UCSF's case, campus techies noticed in late February that a server used in part by the university's accounting and personnel departments was generating an unusually high level of network activity.
"Our server was attempting to communicate with computers outside our network," said Ken Orgill, UCSF's chief information officer.
The assumption, he told me, is that a hacker had gained access to the school's system from a remote location and was using it as cover to either hack into another system or as a conduit for spam.
"This happens quite a lot, that hackers are probing our machines," Orgill said.
He said the server in question is used primarily to develop programs for various campus departments. As such, it doesn't have firewalls or encrypt data because the information it contains is supposed to be for test purposes only.
However, Orgill said actual data for thousands of UCSF students, faculty and staffers was in fact being stored, and the hacker may have had access to this data for hours before the intrusion was detected.
A sparsely detailed account of the incident was sent on March 23 to all those whose data was jeopardized. California law requires notification of any data breach.
Orgill said it's unknown whether any confidential info was downloaded by the hacker because the server doesn't contain software that would provide this level of security.
"That's exactly the direction in which we're moving," he said, adding that the campus also hopes to encrypt all data in the future.
Encrypting data means putting it into a format that requires a special key to decipher.
For Feinstein, this is a no-brainer. She's already introduced legislation that would expand California's notification law to the national level. Feinstein said she'll probably amend that bill to include a requirement that all commercially stored data be encrypted.
The bill will be discussed at a Senate Judiciary Committee hearing next week on identity theft issues.
Feinstein also said she'll explore legislation that would prohibit commercially stored personal info from being kept on easily stolen laptops.
It's unfortunate that such common-sense precautions require the action of lawmakers, but the custodians of our data have clearly proven themselves unworthy of the honor system.
You can let Feinstein know you support her efforts by contacting her via her Web site at feinstein.senate.gov.
Carbon copy: Speaking of data going astray, here's a cautionary tale showing that people's personal info can get loose even without the help of hackers and computer thieves.
Lori Falkell, 39, who runs an Oakland dog-walking service, stopped by the Berkeley Office Depot outlet the other day to pick up a roll of carbon paper for her fax machine.
She plucked a box off the shelf, paid for it and took it home. Installing the paper, however, Falkell noticed that it already had printing on it.
Unrolling a few feet, she discovered a wealth of data, including what looked like inside dope for a Reno ambulance company called Regional Emergency Medical Services Authority, or Remsa.
Falkell also saw what appeared to be the names and Social Security numbers of a handful of Kaiser Permanente members.
"There's all kinds of personal information," she told me. "You can read it clearly. It looks like quite a bit of juicy stuff."
Klark Staffan, a Remsa vice president, confirmed that Falkell was indeed looking at the company's internal documents. But he insisted that the lapse wasn't at his company's end.
"This is very unfortunate," he said. "But we don't use fax machines like that."
His best guess is that the carbon copies came from a fax machine belonging to an Albany consultant who was bidding for a Remsa contract. The consultant, Diane Akers, is named as the recipient of a variety of documents on the carbon roll.
I reached Akers late Tuesday and she confirmed that she recycles her carbon rolls at the Berkeley Office Depot outlet. She was disappointed, to say the least, that her private correspondence ended up for sale at one of the nation's largest office-supply stores.
"Disappointed doesn't explain what I am," Akers said. "I'm furious."
Bill Cunningham, who manages the Berkeley Office Depot, was at a loss to say precisely how this happened. "It's bizarre," he said.
He maintained, however, that the fault wasn't with his store. Instead, Cunningham said that if the carbon paper had been returned by a customer, it would have gone back to the manufacturer.
"We box it and ship it off," he said. "We do not put it back on the shelf. "
However this happened, somebody somewhere messed up. And if the carbon paper had reached someone less honorable than Falkell, the consequences could have been severe.
"It's scary," she said.
It is. For all of us.