August 07, 2008

more

more

September 05, 2008

more

more

more

more

more

more

more

more

more

more

more

December 13, 2006

Breach at UCLA exposes data on 800,000

The University of California, Los Angeles, today began sending out letters to more than 800,000 individuals whose personal information may have been compromised in a database breach that remained undetected for more than a year.

A statement posted on the university's Web site said that intruders appear to have taken advantage of a previously ‘undetected software flaw’ in one of its ‘hundreds’ of software applications to gain access to the restricted database. Attempts to access the database have apparently been going on since October 2005, according to the statement.

The breach was discovered on Nov. 21 this year, when the university's computer security technicians noticed an ‘exceptionally high volume of suspicious database queries,’ the statement read. ‘An emergency investigation indicated that access attempts had been made since October 2005 and that the hacker specifically sought Social Security numbers,’ said Jim Davis, the university's CIO and associate vice chancellor of IT, in the statement. The FBI was notified of the breach.

The breached database includes the names, Social Security numbers, dates of birth and addresses of current and former faculty, staff and students and, in some cases, the parents of students at the university.

Although the hacker may have obtained personal information on some of the individuals, there is no evidence that the data has been misused, said Acting Chancellor Norman Abrams in the statement.

That the breach remained undetected for more than a year is troubling but not entirely surprising, especially in a university environment, said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. There is still a widely held misperception that monitoring and auditing databases for security breaches imposes a ‘ridiculous penalty on performance,’ he said. As a result, many organizations fail to keep an eye on their databases and miss breaches of the sort that happened at UCLA, he said.

The UCLA breach is the largest ever reported by a U.S university, but it is one of many reported by higher-education institutions over the past few years. More than a quarter of the 400 or so data breaches listed on the Privacy Rights Clearinghouse Web site since the ChoicePoint compromise of February 2005 involve a university. The most recent breach listed on the privacy advocacy group's site occurred Dec. 9, when Virginia Commonwealth University in Richmond accidentally sent personal information on 561 students as attachments in an e-mail to 195 students informing them of their eligibility for scholarships.

Another university in the news recently for major security lapses is Ohio University, which earlier this year disclosed five separate security breaches, including one that exposed personal information on 137,000 people. As with the recent UCLA breach, one of the holes disclosed by Ohio University went undetected for more than a year. The security lapses at OU led to the resignation of CIO William Sams and the firing of two senior IT staffers.

---

DONATION: Keylogger.org is an independent research project supported by a team of enthusiasts. If you find this project useful or would like to help foster its continued development please consider making a donation using PayPal`s online secure payment service.

A PayPal account is not required. All major credit cards are accepted (MasterCard/Eurocard, Visa/Delta/Electron, American Express, Switch/Maestro, Solo). Simply click the button below.

Any amount would be useful and appreciated!

Thanks in advance for your support!