[Dataloss] Major breach of UCLA's computer files

Tue Dec 12 09:53:09 EST 2006

Press release from the UCLA web site, and the 
letter to affected people (unconventional 
formatting retained from original).

--begin press release--

<http://newsroom.ucla.edu/page.asp?RelNum=7571>

UCLA Warns of Unauthorized Access to Restricted Database

UCLA is alerting approximately 800,000 people 
that their names and certain personal information 
are contained in a restricted database that was 
illegally and fraudulently accessed by a 
sophisticated computer hacker.

This database contains certain personal 
information about UCLA's current and some former 
students, faculty and staff, some student 
applicants and some parents of students or 
applicants who applied for financial aid. 
Approximately 3,200 of those being notified are 
current or former staff and faculty of the 
University of California, Merced, and current or 
former employees of the University of California 
Office of the President, for which UCLA does 
administrative processing.

In a letter being sent to affected individuals, 
Acting Chancellor Norman Abrams said that 
personal information about at least some of the 
individuals was obtained by the hacker but that 
there is no evidence that any data has been 
misused. The database includes names, Social 
Security numbers, dates of birth, home addresses 
and contact information. It does not include 
driver's license numbers or credit card or 
banking information.

[...]

--end press release--

--begin letter--

From: "Norman Abrams, Acting Chancellor, UCLA" <idalert at identityalert.ucla.edu>
To: 800,000 people
Subject: UCLA Warns of Unauthorized Access to Restricted Database
Date: Tue, 12 Dec 2006 02:37:24 -0800
X-Virus-Status: Clean

December 12, 2006

Dear Friend,

UCLA computer administrators have discovered that 
a restricted campus database containing certain 
personal information has been illegally accessed 
by a sophisticated computer hacker. This database 
contains certain personal information about 
UCLA’s current and some former students, faculty 
and staff, some student applicants and some 
parents of students or applicants who applied for 
financial aid. The database also includes current 
and some former faculty and staff at the 
University of California, Merced, and current and 
some former employees of the University of 
California Office of the President, for which 
UCLA does administrative processing.

I regret having to inform you that your name is 
in the database. While we are uncertain whether 
your personal information was actually obtained, 
we know that the hacker sought and retrieved some 
Social Security numbers. Therefore, I want to 
bring this situation to your attention and urge 
you to take actions to minimize your potential 
risk of identity theft. I emphasize that we have 
no evidence that personal information has been 
misused.

The information stored on the affected database 
includes names and Social Security numbers, dates 
of birth, home addresses and contact information. 
It does not include driver’s license numbers or 
credit card or banking information.

Only designated users whose jobs require working 
with the restricted data are given passwords to 
access this database. However, an unauthorized 
person exploited a previously undetected software 
flaw and fraudulently accessed the database 
between October 2005 and November 2006. When UCLA 
discovered this activity on Nov. 21, 2006, 
computer security staff immediately blocked all 
access to Social Security numbers and began an 
emergency investigation. While UCLA currently 
utilizes sophisticated information security 
measures to protect this database, several 
measures that were already under way have been 
accelerated.

In addition, UCLA has notified the FBI, which is 
conducting its own investigation. We began 
notifying those individuals in the affected 
database as soon as possible after determining 
that personal data was accessed and after we 
retrieved individual contact information.

As a precaution, I recommend that you place a 
fraud alert on your consumer credit file. By 
doing so, you let creditors know to watch for 
unusual or suspicious activity, such as someone 
attempting to open a new credit card account in 
your name. You may also wish to consider placing 
a security freeze on your accounts by writing to 
the credit bureaus. A security freeze means that 
your credit history cannot be seen by potential 
creditors, insurance companies or employers doing 
background checks unless you give consent. For 
details on how to take these steps, please visit 
<http://www.identityalert.ucla.edu/what_you_can_do.htm>http://www.identityalert.ucla.edu/what_you_can_do.htm.

Extensive information on steps to protect against 
personal identity theft and fraud are on the Web 
site of the California Office of Privacy 
Protection, a division of the state Department of 
Consumer Affairs, 
<http://www.privacy.ca.gov>http://www.privacy.ca.gov.

Information also is available on a Web site we 
have established, 
<http://www.identityalert.ucla.edu>http://www.identityalert.ucla.edu. 
The site includes additional information on this 
situation, further suggestions for monitoring 
your credit and links to state and federal 
resources. If you have questions about this 
incident and its implications, you may call our 
toll-free number, (877) 533-8082.

Please be aware that dishonest people falsely 
identifying themselves as UCLA representatives 
might contact you and offer assistance. I want to 
assure you that UCLA will not contact you by 
phone, e-mail or any other method to ask you for 
personal information. I strongly urge you not to 
release any personal information in response to 
inquiries of this nature.

We have a responsibility to safeguard personal 
information, an obligation that we take very 
seriously.

I deeply regret any concern or inconvenience this incident may cause you.

Sincerely,

Norman Abrams, Acting Chancellor

This is an automated message regarding the recent 
identity alert at UCLA. We're sorry, but we are 
unable to respond to emails. Please do not reply 
to this email. If you have questions or concerns 
and would like to speak with someone, please call 
(877) 533-8082. For additional information and 
steps to take, please go to the dedicated website 
at 
<http://www.identityalert.ucla.edu>http://www.identityalert.ucla.edu.

--end letter--