[Infowarrior] - UCLA: 800K people's PII potentially compromised

[Richard Forno]

(c/o dano)

<http://newsroom.ucla.edu/page.asp?RelNum=7571>

UCLA Warns of Unauthorized Access to Restricted Database

UCLA is alerting approximately 800,000 people that their names and certain
personal information are contained in a restricted database that was
illegally and fraudulently accessed by a sophisticated computer hacker.

This database contains certain personal information about UCLA's current and
some former students, faculty and staff, some student applicants and some
parents of students or applicants who applied for financial aid.
Approximately 3,200 of those being notified are current or former staff and
faculty of the University of California, Merced, and current or former
employees of the University of California Office of the President, for which
UCLA does administrative processing.

In a letter being sent to affected individuals, Acting Chancellor Norman
Abrams said that personal information about at least some of the individuals
was obtained by the hacker but that there is no evidence that any data has
been misused. The database includes names, Social Security numbers, dates of
birth, home addresses and contact information. It does not include driver's
license numbers or credit card or banking information.

[...]

--end press release--


--begin letter--

From: "Norman Abrams, Acting Chancellor, UCLA"

December 12, 2006

Dear Friend,

UCLA computer administrators have discovered that a restricted campus
database containing certain personal information has been illegally accessed
by a sophisticated computer hacker. This database contains certain personal
information about UCLA¹s current and some former students, faculty and
staff, some student applicants and some parents of students or applicants
who applied for financial aid. The database also includes current and some
former faculty and staff at the University of California, Merced, and
current and some former employees of the University of California Office of
the President, for which UCLA does administrative processing.

I regret having to inform you that your name is in the database. While we
are uncertain whether your personal information was actually obtained, we
know that the hacker sought and retrieved some Social Security numbers.
Therefore, I want to bring this situation to your attention and urge you to
take actions to minimize your potential risk of identity theft. I emphasize
that we have no evidence that personal information has been misused.

The information stored on the affected database includes names and Social
Security numbers, dates of birth, home addresses and contact information. It
does not include driver¹s license numbers or credit card or banking
information.

Only designated users whose jobs require working with the restricted data
are given passwords to access this database. However, an unauthorized person
exploited a previously undetected software flaw and fraudulently accessed
the database between October 2005 and November 2006. When UCLA discovered
this activity on Nov. 21, 2006, computer security staff immediately blocked
all access to Social Security numbers and began an emergency investigation.
While UCLA currently utilizes sophisticated information security measures to
protect this database, several measures that were already under way have
been accelerated.

In addition, UCLA has notified the FBI, which is conducting its own
investigation. We began notifying those individuals in the affected database
as soon as possible after determining that personal data was accessed and
after we retrieved individual contact information.

As a precaution, I recommend that you place a fraud alert on your consumer
credit file. By doing so, you let creditors know to watch for unusual or
suspicious activity, such as someone attempting to open a new credit card
account in your name. You may also wish to consider placing a security
freeze on your accounts by writing to the credit bureaus. A security freeze
means that your credit history cannot be seen by potential creditors,
insurance companies or employers doing background checks unless you give
consent. For details on how to take these steps, please visit
<http://www.identityalert.ucla.edu/what_you_can_do.htm>http://www.identityal
ert.ucla.edu/what_you_can_do.htm.

Extensive information on steps to protect against personal identity theft
and fraud are on the Web site of the California Office of Privacy
Protection, a division of the state Department of Consumer Affairs,
<http://www.privacy.ca.gov>http://www.privacy.ca.gov.

Information also is available on a Web site we have established,
<http://www.identityalert.ucla.edu>http://www.identityalert.ucla.edu. The
site includes additional information on this situation, further suggestions
for monitoring your credit and links to state and federal resources. If you
have questions about this incident and its implications, you may call our
toll-free number, (877) 533-8082.

Please be aware that dishonest people falsely identifying themselves as UCLA
representatives might contact you and offer assistance. I want to assure you
that UCLA will not contact you by phone, e-mail or any other method to ask
you for personal information. I strongly urge you not to release any
personal information in response to inquiries of this nature.

We have a responsibility to safeguard personal information, an obligation
that we take very seriously.

I deeply regret any concern or inconvenience this incident may cause you.

Sincerely,

Norman Abrams, Acting Chancellor


This is an automated message regarding the recent identity alert at UCLA.
We're sorry, but we are unable to respond to emails. Please do not reply to
this email. If you have questions or concerns and would like to speak with
someone, please call (877) 533-8082. For additional information and steps to
take, please go to the dedicated website at
<http://www.identityalert.ucla.edu>http://www.identityalert.ucla.edu.

--end letter--