Breach at UCLA exposes data on 800,000 such as names, Social Security numbers, dates of birth, addresses

Breach at UCLA exposes data on 800,000
Jaikumar Vijayan

December 12, 2006 (Computerworld) The University of California, Los Angeles, today began sending out letters to more than 800,000 individuals whose personal information may have been compromised in a database breach that remained undetected for more than a year.

A statement posted on the university's Web site said that intruders appear to have taken advantage of a previously "undetected software flaw" in one of its "hundreds" of software applications to gain access to the restricted database. Attempts to access the database have apparently been going on since October 2005, according to the statement.

The breach was discovered on Nov. 21 this year, when the university's computer security technicians noticed an "exceptionally high volume of suspicious database queries," the statement read. "An emergency investigation indicated that access attempts had been made since October 2005 and that the hacker specifically sought Social Security numbers," said Jim Davis, the university's CIO and associate vice chancellor of IT, in the statement. The FBI was notified of the breach.

The breached database includes the names, Social Security numbers, dates of birth and addresses of current and former faculty, staff and students and, in some cases, the parents of students at the university.

"We deeply regret the concern and inconvenience caused by this illegal activity," Davis was quoted as saying. He added that the university has since "reconstructed and protected" the breached database. He did not specify what measures the university has taken to mitigate the problem.

Although the hacker may have obtained personal information on some of the individuals, there is no evidence that the data has been misused, said Acting Chancellor Norman Abrams in the statement.

University officials could not be reached immediately for further comment.

That the breach remained undetected for more than a year is troubling but not entirely surprising, especially in a university environment, said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. There is still a widely held misperception that monitoring and auditing databases for security breaches imposes a "ridiculous penalty on performance," he said. As a result, many organizations fail to keep an eye on their databases and miss breaches of the sort that happened at UCLA, he said.

"I don't think the performance argument carries a lot of weight, but it is an argument that people often use" for defending their decision not to monitor database activity, Jaquith said.

Another problem with database activity auditing is that it can generate huge amounts of data, said Ron Ben-Natan, chief technology officer at Guardium Inc., a vendor of database security products. So people tend to tune it down and use it only to detect certain very specific types of activities, such as privilege escalation, he said. In the process, they could miss other potential security violations, he noted.

The UCLA breach is the largest ever reported by a U.S university, but it is one of many reported by higher-education institutions over the past few years. More than a quarter of the 400 or so data breaches listed on the Privacy Rights Clearinghouse Web site since the ChoicePoint compromise of February 2005 involve a university. The most recent breach listed on the privacy advocacy group's site occurred Dec. 9, when Virginia Commonwealth University in Richmond accidentally sent personal information on 561 students as attachments in an e-mail to 195 students informing them of their eligibility for scholarships.

Another university in the news recently for major security lapses is Ohio University, which earlier this year disclosed five separate security breaches, including one that exposed personal information on 137,000 people. As with the recent UCLA breach, one of the holes disclosed by Ohio University went undetected for more than a year. The security lapses at OU led to the resignation of CIO William Sams and the firing of two senior IT staffers.