The state of California has warned residents that their personal data may have been stolen from computers at the University of California, Berkeley, after a database used by researchers there was compromised by hackers.
The California Department of Social Services (CDSS) issued a media advisory on Tuesday, saying that the agency was working with the FBI to investigate an intrusion on a computer at Berkeley that contained personal information on around 1.4 million recipients and providers of In Home Supportive Services (IHSS), which provides home-care services to low-income elderly and disabled Californians. Names, addresses, telephone and Social Security numbers, as well as the birth dates for IHSS participants, could have been stolen by the malicious hackers, according to Carlos Ramos, assistant secretary at CDSS.
The state agency gave Berkeley the IHSS data, which was stored on a machine at the university, for research on the CDSS program. If stolen, the information could be used to fake the identity of IHSS recipients.
The compromise occurred on Aug. 1 and was discovered on Aug. 30 by Berkeley IT staff using intrusion detection software, Ramos said.
According to Ramos, investigators know a malicious hacker exploited a vulnerability in "commercially available database software" and compromised the computer, but they don't know if the attack was targeted, speculating that malicious hackers possibly discovered the system by scanning for machines running vulnerable versions of the database software.
While evidence indicates that none of the database's information has been misused, IHSS recipients were encouraged to obtain a credit report and make sure that they were not identity theft victims, the CDSS said in a statement.
A database of personal information on elderly and infirm people would be an attractive target for identity thieves, who may lack the technical sophistication to defend themselves against identity theft, and may even be unaware the IHSS database stored their data, said Jonathan Bingham, president and founder at Intrusic, a Waltham, Mass., company that makes software for spotting suspicious activity on computer networks.
"You take somebody who's elderly and hasn't had experience with computer networks - they're not going to get it," Bingham said.
Without adequate forensic information, investigators face a daunting task in reconstructing the intrusion and determining whether the IHSS database was compromised, let alone finding the culprits, he said.
"The problem isn't that the system was attacked but that it wasn't discovered for a month," Bingham said.
In the meantime, the CDSS asked Berkeley to return the IHSS data and will investigate whether the researcher adhered to an agreement to protect the personal information in the database. The department will also review other researchers' work to make sure they are adhering to data protection guidelines, Ramos said.