- The 10 dumbest mistakes network managers make
- Six Windows 7 features admins will actually care about
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- More porn sneaks onto the iPhone
The University of California, Los Angeles, Tuesday began sending out letters to more than 800,000 individuals whose personal information may have been compromised in a database breach that remained undetected for more than a year.
A statement posted on the university's Web site said that intruders appear to have taken advantage of a previously "undetected software flaw" in one of its "hundreds" of software applications to gain access to the restricted database. Attempts to access the database have apparently been going on since October 2005, according to the statement.
The breach was discovered on Nov. 21 this year, when the university's computer security technicians noticed an "exceptionally high volume of suspicious database queries," the statement read. "An emergency investigation indicated that access attempts had been made since October 2005 and that the hacker specifically sought Social Security numbers," said Jim Davis, the university's CIO and associate vice chancellor of IT, in the statement. The FBI was notified of the breach.
The breached database includes the names, Social Security numbers, dates of birth and addresses of current and former faculty, staff and students and, in some cases, the parents of students at the university.
"We deeply regret the concern and inconvenience caused by this illegal activity," Davis was quoted as saying. He added that the university has since "reconstructed and protected" the breached database. He did not specify what measures the university has taken to mitigate the problem.
Although the hacker may have obtained personal information on some of the individuals, there is no evidence that the data has been misused, said Acting Chancellor Norman Abrams in the statement.
University officials could not be reached immediately for further comment.
That the breach remained undetected for more than a year is troubling but not entirely surprising, especially in a university environment, said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. There is still a widely held misperception that monitoring and auditing databases for security breaches imposes a "ridiculous penalty on performance," he said. As a result, many organizations fail to keep an eye on their databases and miss breaches of the sort that happened at UCLA, he said.
The Leader in Network Knowledge
Comment