Security breach investigated

The investigation into December’s breach of a UCLA
database that contained personal information of current and former
students, as well as staff and administrators, continues while
officials focus on notifying those affected and publicizing
available resources.

UCLA officials announced Dec. 11 that a hacker had accessed a
database containing personal information of about 800,000 present
and former UCLA students, staff and other affiliates, including
Social Security numbers. Banking and financial information was not
included in the database.

The hacker accessed the database between October 2005 and
November 2006, when university officials noticed the activity.

Jim Davis, associate vice chancellor for information technology
and UCLA’s chief information officer, described the attack as
sophisticated and malicious.

“As a result, the FBI has been involved,” he
said.

Davis said the university continues to work with the FBI in its
investigation, noting the complexity of the attack.

Many students and other affected parties said they are upset
about the data breach and the possibility their personal
information could be compromised.

“I felt nervous about it. Your Social Security number is
so important,” said Connie Lum, a first-year
business-economics student.

UCLA officials created an Identity Alert Web site as part of
their notification process. Over 112,000 unique users have visited
the site, UCLA spokesman Phil Hampton said.

In addition, officials established a call center to address
concerns from affected people. Hampton said over 31,000 people have
made calls, but noted a large majority of the calls were within the
first week of the announcement.

While everyone whose information was listed in the database was
notified, officials emphasized that not all of the information may
have been accessed. Davis estimated about 5 percent of the records
accessed were Social Security numbers.

He added that after the attack, the database was rebuilt to make
sure it was clean and encrypted.

“We do understand the concern that this kind of thing
causes,” Davis said.

Davis said hackers constantly target UCLA and other
universities, as well as corporations, to find vulnerabilities to
exploit. However, this is reportedly the largest ever occurrence
within a college or university.

Similar incidents have previously occurred at USC, University of
Texas, New York University, UC Berkeley and UC San Diego.

“UCLA takes security very, very seriously,” he
said.

He added that UCLA is constantly researching and updating
software in order to protect itself from Internet predators.

Officials are currently in the middle of a multi-year project to
minimize the use of Social Security numbers in their databases, an
initiative that began before the reports of the attacks.

“UCLA has greatly restricted the number of people who have
access to Social Security numbers,” Hampton said, adding that
full numbers are not printed on paper reports or shown on many
computer screens.

But Hampton said all University of California campuses are
required to use Social Security numbers, since the federal
government requires the information for uses such as tuition tax
credit. Applicants to UCLA and other UC campuses are also required
to submit their Social Security number.

Davis said there are also policies in place to protect sensitive
information that is stored on portable equipment such as
laptops.

Computers cannot access the UCLA network without meeting the
minimum connectivity standards, which include the proper anti-virus
software, according to Davis.

He added that UCLA departments encourage minimal use of laptops
to store private data, but if laptops do store personal
information, it must be encrypted.

Officials encourage affected people to use free fraud alerts and
credit reports available online from three credit reporting
agencies.

People can also file online reports with the FBI’s
Internet Crime Complaint Center if they believe their identity has
been compromised, according to the Identity Alert Web site.

Although there are paid services available, Davis described the
free options as “perfectly adequate.”