Hack at UC Berkeley Potentially Nets 1.4 Million SSNs

By exploiting a known vulnerability on an unpatched computer, the hackers potentially gained access to some 1.4 million names, Social Security numbers and more relating to a care program for the elderly.

Hackers took advantage of a known vulnerability on an unpatched computer to potentially gain access to some 1.4 million names, Social Security numbers, telephone numbers, addresses and dates of birth at University of California at Berkeley, officials said Tuesday.

The personal data was that of recipients and providers for the states In Home Supportive Services program, which provides in-home care for elderly people. The data was being used by a researcher, who was studying the impact of wages and benefits paid for by providers and how it impacts the relationship between providers and recipients of in-home care, according to Carlos Ramos, assistant secretary at the California Health and Human Services Agency.

The FBI, the California Department of Social Services and the California Highway Patrol are investigating the breach, which happened at the end of August, according to comments made by UC Berkeley spokesman George Strait in news reports. The state was notified Sept. 27, after the school wrapped up its own investigation with the FBI.

Ramos stressed that the agency has received no indication that the hackers compromised the computer. Nor is there any indication that identity fraud has yet taken place.

"The investigation is still going on, so I cant get into a lot of detail," he said. He did say that the researchers computer was connected to UC Berkeleys network. University security personnel were performing routine intrusion detection when they determined that an unauthorized user was attempting to get at the computer.

Ramos declined to confirm which vendors database was the subject of the attack but did say it was a "commercially available product" with a known vulnerability that was exploited. A patch for the vulnerability was available at the time, Ramos said.

That points to negligence in patching on the part of the university—a fairly common ailment among institutions of higher learning in the state, according to Jordana Beebe, communications director for the Privacy Rights Clearinghouse, a California-based organization that advises consumers about their rights.

/zimages/1/28571.gifFor insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

"Were seeing that [many] major universities and colleges have had a security breach and have had to send out notification because of unauthorized access to secure information," said Beebe, in San Diego. She went on to list a rash of incidents that have been reported since last year, when the state passed a security breach notification law.

To wit, this partial list: Documents containing sensitive information were found in a West Chester University trash bin in August. In May, 380,000 names, Social Security numbers and/or drivers license numbers on a Web server and three workstations were exposed to hackers at UC San Diego. In August 2003, hackers potentially gained access to a database containing the names, addresses and drivers license numbers of about 17,000 visitors from throughout the world at UC Berkeleys Bancroft Library.

/zimages/1/28571.gifClick here to read about critical Oracle vulnerabilities that have been publicly exploited.

Banks, government agencies and schools are at the top of the list as hacking targets, Beebe said. "A lot of private companies do have the wherewithal to make sure data is secure, but many higher institutes of learning are not up to snuff," she said. "Im not sure if its a money thing or accountability.

"It could be that with a place like UC Berkeley, theres so many systems there, and there might not be overarching oversight to make sure this [type of] hacking incident doesnt occur."

The California Office of Privacy Protection recommends that those who suspect their personal data may be at risk should contact one of the three major reporting agencies to receive free copies of credit reports. Contact information for reporting agencies and advice on how to place a fraud alert on credit accounts is located at the California Department of Social Services Web site.

/zimages/1/28571.gifCheck out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.


Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page