Data Security Incident

May 16, 2006

UC Berkeley

Data Security Incident

A computer vulnerability has been identified that may have compromised personal data for approximately 1,200 current and former UC Berkeley students, faculty, and staff.

During the recent investigation of a computer virus, it was discovered that computers within the Cal 1 Card (C1C) office may have been accessed without authorization from within the campus network. Although it initially appeared that no sensitive data could have been viewed, further analysis revealed the presence of archived spreadsheets with names and Social Security Numbers.

The spreadsheets contained data on some individuals who requested a new card or requested a replacement for a damaged or lost Cal 1 Card between 1998 and 2004. If someone did not visit the Cal 1 Card office to receive a replacement ID card or provide a Social Security number to the Cal 1 Card staff, they are not affected by this incident. If they received a letter from us, they must have visited the Cal 1 Card office to either get a replacement ID card or they believed they were supposed to get a card and were not in the system. If while visiting the Cal 1 Card office they provided a Social Security number to the Cal 1 Card staff to assist in the processing of a fee waiver, student billing, or because they did not remember or did not have an Employee or Student ID number, that Social Security number information may have been logged in one of the archived spreadsheets.

Our extensive technical analysis of the vulnerability and potential exposure has found no evidence that any of the personal data on the spreadsheets was viewed, accessed, or misused by any unauthorized person. Despite the absence of any evidence that the files were accessed, UC Berkeley has notified all individuals listed within the spreadsheets and advised them to review their credit reports and consider placing a fraud alert with a credit agency as a precautionary step. If you believe you were impacted by this security incident

If you think your name may have been listed within the spreadsheet files, call the toll-free campus hotline number 1-800-372-5110 for confirmation. If the call is not answered immediately, please leave a message and a UC Berkeley representative will contact you shortly. Click here if you are located outside the US.

If your name was listed within the spreadsheet files and you received a letter from UC Berkeley, you are strongly advised to place a fraud alert on your credit reports.

CAUTION: In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including social security numbers and/or credit card information. Please be aware that UC Berkeley will only contact you with information regarding steps you should take to prevent possible fraud or identity theft; or if you ask us, by email or telephone, for information. We will not ask for your full Social Security number. We will not ask for credit card or bank information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

How to place a fraud alert on your credit report

If you have received notice that your personal information may have been exposed, you are advised to place a "fraud alert" on your credit file with the three major credit bureaus. This is a free service that will request creditors to verify your identity before opening a new account.

You may place an Initial 90-day Fraud Alert by calling any one of the three nationwide credit reporting companies. The agency that accepts your request will share your request with the other two credit reporting companies, which will add the alert to your file or request that you provide them additional information. You will receive a confirmation when an alert is added to your file. You may also request a free credit report from each of the three agencies.

Choose one of the credit bureaus from the contact information below. Experian allows you to file a fraud alert online or by telephone; Equifax and Trans Union require you to call.

Please note that your initial call to the credit bureau will be to an automated system. With your copy of the credit report, you will receive another phone number that will allow you to discuss anything unusual with a representative.

* Experian ( 888-397-3742

You can place a fraud alert with Experian online by going to the Experian Credit Fraud Center.

To place a fraud alert with Experian by phone: 1. Dial 1-888-397-3742. 2. Select option 2 ("all other" requests not related to credit management tool). 3. Select option 2 ("if not" wanting to listen to 8 minute recording of CA Civil Code Section 1785.10). 4. Select option 3 ("if you believe that your credit information is being used fraudulently"). 5. Select option 2 ("to add an alert to your credit file using an automated system"). 6. Select option 1 ("add a temporary initial fraud security alert". There are other options for 7-year extended victim alert and active duty at this point). 7. Select option 2 ("to continue to the automated alert system" which then asks for your social security number).

* Equifax ( 800-525-6285

To place a fraud alert with Equifax, you must do so by phone. You cannot place a fraud alert with Equifax online.

To place a fraud alert with Equifax by phone: 1. Dial 1-800-525-6285 (this number is specifically for placing a fraud alert). 2. Select option 3 (to place to show you believe you are a victim of fraud). 3. Select option 1 (to place a fraud alert). 4. Follow instructions. * Trans Union ( 800-680-7289

To place a fraud alert with Trans Union, you must do so by phone. You cannot place a fraud alert with Trans Union online.

To place a fraud alert with Trans Union by phone: 1. Dial 1-800-680-7289. 2. Enter your zip code. 3. DO NOT press 1 or say 1 to listen to the summary. 4. Wait for the next option. 5. Press 1 or say 1 for Fraud Alert options.

You should also request a copy of your credit report from each of the three credit reporting agencies. When you receive your credit reports, review them carefully. Look especially for these indicators of possible fraudulent activity: * Unfamiliar accounts, especially ones that have been newly opened. * Unauthorized charges to existing accounts. * Addresses that you have not lived at.

Facts about fraud alerts

Before you add a fraud alert to your credit report, be aware of these effects:

* You may be asked to provide proof of your identification when applying for instant credit. In some cases, the presence of a fraud alert may limit your ability to receive instant credit for in-store purchases that you plan to take possession of immediately.

* Creditors may contact you by phone at a designated number before opening a new account.

* A fraud alert should not interfere with the daily use of credit cards or banking or checking accounts.

The length of time that an alert stays on your record varies for each credit bureau. You can request an extension when the initial period has ended. If you are a victim of identity theft

If you find evidence of identity theft on your credit reports, take these steps:

* Close the accounts that you believe have been opened fraudulently or have unauthorized activity.

* File a police report, and get a copy to submit to creditors and others that may require proof of a crime.

* Contact the credit bureaus to place a victim statement on your account.

* File a complaint with the FTC online at or by calling 877-438-4338.

* If you discover misuse of your Social Security number, call the Social Security Fraud Hotline, 800-269-0271.

* Keep a record of communications with credit bureaus, creditors, financial institutions, and police, including dates.

main page ATTRITION feedback