By exploiting a known vulnerability on an unpatched computer, the hackers potentially gained access to some 1.4 million names, Social Security numbers and more relating to a care program for the elderly.
Hackers took advantage of a known vulnerability on an unpatched computer to potentially gain access to some 1.4 million names, Social Security numbers, telephone numbers, addresses and dates of birth at University of California at Berkeley, officials said Tuesday.
The personal data was that of recipients and providers for the states In Home Supportive Services program, which provides in-home care for elderly people. The data was being used by a researcher, who was studying the impact of wages and benefits paid for by providers and how it impacts the relationship between providers and recipients of in-home care, according to Carlos Ramos, assistant secretary at the California Health and Human Services Agency.
The FBI, the California Department of Social Services and the California Highway Patrol are investigating the breach, which happened at the end of August, according to comments made by UC Berkeley spokesman George Strait in news reports. The state was notified Sept. 27, after the school wrapped up its own investigation with the FBI.
Ramos stressed that the agency has received no indication that the hackers compromised the computer. Nor is there any indication that identity fraud has yet taken place.
"The investigation is still going on, so I cant get into a lot of detail," he said. He did say that the researchers computer was connected to UC Berkeleys network. University security personnel were performing routine intrusion detection when they determined that an unauthorized user was attempting to get at the computer.
Ramos declined to confirm which vendors database was the subject of the attack but did say it was a "commercially available product" with a known vulnerability that was exploited. A patch for the vulnerability was available at the time, Ramos said.
That points to negligence in patching on the part of the universitya fairly common ailment among institutions of higher learning in the state, according to Jordana Beebe, communications director for the Privacy Rights Clearinghouse, a California-based organization that advises consumers about their rights.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"Were seeing that [many] major universities and colleges have had a security breach and have had to send out notification because of unauthorized access to secure information," said Beebe, in San Diego. She went on to list a rash of incidents that have been reported since last year, when the state passed a security breach notification law.
To wit, this partial list: Documents containing sensitive information were found in a West Chester University trash bin in August. In May, 380,000 names, Social Security numbers and/or drivers license numbers on a Web server and three workstations were exposed to hackers at UC San Diego. In August 2003, hackers potentially gained access to a database containing the names, addresses and drivers license numbers of about 17,000 visitors from throughout the world at UC Berkeleys Bancroft Library.
Click here to read about critical Oracle vulnerabilities that have been publicly exploited.
Banks, government agencies and schools are at the top of the list as hacking targets, Beebe said. "A lot of private companies do have the wherewithal to make sure data is secure, but many higher institutes of learning are not up to snuff," she said. "Im not sure if its a money thing or accountability.
"It could be that with a place like UC Berkeley, theres so many systems there, and there might not be overarching oversight to make sure this [type of] hacking incident doesnt occur."
The California Office of Privacy Protection recommends that those who suspect their personal data may be at risk should contact one of the three major reporting agencies to receive free copies of credit reports. Contact information for reporting agencies and advice on how to place a fraud alert on credit accounts is located at the California Department of Social Services Web site.
Check out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.