UCLA Didnt Study for Security Test

Database hack highlights need for more vigilant caretaking of info

As a recent graduate of the university of California, Los Angeles, I was one of the "lucky" 800,000 who received an e-mail from the university last week. Most of the correspondence I get from UCLA relates to alumni donations, but this e-mail was different: It alerted me to the fact that my identity is at risk.

UCLA announced on Dec. 12 that a hacker had gained access to a restricted campus database that contained personal information about current and former students, faculty, and staff. Information such as names, Social Security numbers, home addresses and dates of birth was stored on the affected database.

"I regret having to inform you that your name is in the database," stated Norman Abrams, acting chancellor of UCLA, in the e-mail. "While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers."

If its not obvious by now, hackers are less interested in gaining notoriety and more interested in making money.

Weve been saying for years now that IT managers can no longer consider their networks truly impenetrable, no matter how many safeguards they put in place. The databases in IT managers care must therefore be under constant watch.

Put another way, if the network is no longer a walled fortress, then security managers need to employ the tactics of a beat cop. So says Alan Norquist, vice president of marketing at security company Imperva. Database usage needs to be monitored, and IT managers need to develop profiles that will look for out-of-the-ordinary database queries, Norquist adds.

Yes, its convenient that Impervas software does just that. But Norquist has a good point—and its one that, clearly, not enough IT managers are taking to heart.

UCLAs Abrams said in the now-infamous e-mail, "We have a responsibility to safeguard personal information, an obligation that we take very seriously."

Easy to say, but that means keeping a closer eye on whats happening on the inside.

Technical Analyst Victor Loh can be reached at victor_loh@ziffdavis.com.

WWWeb Resources

Watch out!

UCLA identity alert


Weakness in numbers

Total number of privacy breaches since 2005