Breach at UCLA exposes data on 800,000
By Jaikumar Vijayan
,
Computerworld
, 12/12/2006
- Share/Email
- Tweet This
- Print
The University of California, Los Angeles, Tuesday began sending out letters to more than 800,000 individuals whose personal
information may have been compromised in a database breach that remained undetected for more than a year.
A statement posted on the university's Web site said that intruders appear to have taken advantage of a previously "undetected software
flaw" in one of its "hundreds" of software applications to gain access to the restricted database. Attempts to access the
database have apparently been going on since October 2005, according to the statement.
The breach was discovered on Nov. 21 this year, when the university's computer security technicians noticed an "exceptionally
high volume of suspicious database queries," the statement read. "An emergency investigation indicated that access attempts
had been made since October 2005 and that the hacker specifically sought Social Security numbers," said Jim Davis, the university's
CIO and associate vice chancellor of IT, in the statement. The FBI was notified of the breach.
The breached database includes the names, Social Security numbers, dates of birth and addresses of current and former faculty,
staff and students and, in some cases, the parents of students at the university.
"We deeply regret the concern and inconvenience caused by this illegal activity," Davis was quoted as saying. He added that
the university has since "reconstructed and protected" the breached database. He did not specify what measures the university
has taken to mitigate the problem.
Although the hacker may have obtained personal information on some of the individuals, there is no evidence that the data
has been misused, said Acting Chancellor Norman Abrams in the statement.
University officials could not be reached immediately for further comment.
That the breach remained undetected for more than a year is troubling but not entirely surprising, especially in a university
environment, said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. There is still a widely held misperception
that monitoring and auditing databases for security breaches imposes a "ridiculous penalty on performance," he said. As a
result, many organizations fail to keep an eye on their databases and miss breaches of the sort that happened at UCLA, he
said.
"I don't think the performance argument carries a lot of weight, but it is an argument that people often use" for defending
their decision not to monitor database activity, Jaquith said.
Another problem with database activity auditing is that it can generate huge amounts of data, said Ron Ben-Natan, CTO at Guardium,
a vendor of database security products. So people tend to tune it down and use it only to detect certain very specific types
of activities, such as privilege escalation, he said. In the process, they could miss other potential security violations,
he noted.
The UCLA breach is the largest ever reported by a U.S university, but it is one of many reported by higher-education institutions
over the past few years. More than a quarter of the 400 or so data breaches listed on the Privacy Rights Clearinghouse Web
site since the ChoicePoint compromise of February 2005 involve a university. The most recent breach listed on the privacy
advocacy group's site occurred Dec. 9, when Virginia Commonwealth University in Richmond accidentally sent personal information
on 561 students as attachments in an e-mail to 195 students informing them of their eligibility for scholarships.
For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.
Comment