Major breach of UCLA's computer files

December 12, 2006

By Rebecca Trounson, Times Staff Writer,0,7111141.story?coll=la-home-headlines

In what appears to be one of the largest computer security breaches ever at an American university, one or more hackers have gained access to a UCLA database containing personal information on about 800,000 of the university's current and former students, faculty and staff members, among others.

UCLA officials said the attack on a central campus database exposed records containing the names, Social Security numbers and birth dates . the key elements of identity theft . for at least some of those affected. The attempts to break into the database began in October 2005 and ended Nov. 21, when the suspicious activity was detected and blocked, the officials said.

In a letter scheduled to be sent today to potential victims of the breach, acting Chancellor Norman Abrams said that although some Social Security numbers were obtained by the hackers, the university had no evidence that any of the information had been misused.

"We take our responsibility to safeguard personal information very seriously," Abrams said in the letter, which was scheduled to be mailed or e-mailed overnight to those whose records were compromised. "My primary concern is to make sure this does not happen again" and to provide information to try to minimize the risk of identity theft for those affected, he said.

Abrams urged those whose records might have been accessed to monitor their consumer credit files and consider fraud alerts and other precautions.

The UCLA incident is the latest in a series of computer security breaches affecting private organizations, financial institutions, government agencies and other large employers. Partly because of their tradition of openness, universities are proving to be a favorite . and often vulnerable . target, several experts in the field said Monday.

"Universities tend to have a lot of information floating around in a lot of different places," said Jay Foley, executive director of the Identity Theft Resource Center, a San Diego-based nonprofit. "They are places we send our children to share ideas, and it's hard to mix the open sharing of ideas with the need to tighten down on security."

In 2003, for example, a hacker at San Diego State used an outdated computer network in the drama department to find a way into the financial aid system. The Social Security numbers of more than 200,000 people were exposed.

Foley and others interviewed said that although there was no evidence of any fraudulent or illegal use of the information, the UCLA breach, in the sheer number of people affected, appeared to be among the largest at an American college or university.

"To my knowledge, it's absolutely one of the largest," said Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association that focuses on technology issues. He said most problems at universities have involved breaches of departmental or other, smaller databases.

Comprehensive statistics on computer break-ins at colleges do not exist. But in the first six months of this year alone, there were at least 29 security failures at colleges nationwide, jeopardizing the records of 845,000 people. Both private and public institutions have been hit. In 2005, a database at USC was hacked, exposing the records of 270,000 individuals.

Petersen said that in a survey released by Educause in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised.

At UCLA, officials said Monday that the targeted database included records for the university's current and former students, faculty and staff, in some cases dating to the early 1990s. Others potentially affected included some applicants during the last five years who did not enroll at the university, as well as some parents of students or applicants who had applied for financial aid.

About 3,200 of those being notified are current or former staff and faculty of UC Merced and current or former staff of UC's Oakland headquarters. UCLA handles administrative processing for both groups.

Besides names, Social Security numbers and birth dates of those affected, the database includes home addresses and contact information, officials said. It does not contain driver's license numbers or credit card or banking information.

Jim Davis, UCLA's associate vice chancellor for information technology, described the attack as sophisticated, saying it used a program designed to exploit a flaw in a single software application among the many hundreds used throughout the Westwood campus.

"An attacker found one small vulnerability and was able to exploit it, and then cover their tracks," Davis said.

He said the problem was spotted when computer security technicians noticed an unusually high number of suspicious queries to the database. It took several days for investigators to be sure that it was an attack and to learn that Social Security numbers were the target, he said.

Davis said the investigation was continuing, but that university officials had decided to notify potential victims now.

"UCLA and its community are the victims of this, and despite the great deal of effort we put into security, this really is a breach of trust with our community," he said. "Given that we saw intent in this, we needed to let people know."

UCLA has established a website to provide information and answer questions about the incident at http://www.identityalert.ucla.eduand a toll-free call center, (877) 533-8082.

Laura Eimiller, spokeswoman for the FBI's Los Angeles office, said the agency was investigating the breach, but said she could not comment further.

main page ATTRITION feedback