RealTime IT News

Calif. Warns Residents of Possible ID Theft

State officials warned California residents Wednesday to take preventative steps against ID theft after an unknown hacker gained access to a database at the University of California, Berkeley.

The files contained approximately one million names, addresses, telephone numbers, Social Security numbers and dates of birth for participants in California's In Home Supportive Services (IHSS), a social services program for disabled and low-income elderly residents.

A researcher working at UC Berkeley used the data on program participants for research on the IHSS program, and authorization to use the personal data was obtained from the California Department of Social Services (CDSS).

According to the CDSS, the investigation into the unauthorized access has not determined whether the hacker acquired any personal data.

"To date, we have not received any information indicating that identity theft or that any misuse of data has occurred," a CDSS advisory warning stated. "Accordingly, CDSS is sending out this advisory as a precautionary measure."

Under a state privacy law passed last year, California companies and state agencies are required to issue warnings when individuals' personal data may have been compromised.

Both the California Highway Patrol and the FBI are investigating the incident. The UC Berkeley IT staff discovered the hack on Aug. 30 using intrusion detection software. According to UC Berkeley officials, the intrusion took place on Aug. 1.

Carlos Ramos, an assistant secretary at CDSS, told the media Wednesday the compromise occurred by exploiting a vulnerability in the commercial database software used by the researcher. Ramos said investigators do not yet know if the attack was a targeted effort or if the hacker intruded after scanning machines running the vulnerable software.

In the advisory warning to California residents, CDSS officials urged those concerned about the possibility of ID theft related to the intrusion to obtain and review a current credit report.

"The fact that someone may have had access to the database doesn't mean you are a victim of identity theft or that they intend to use the information to commit fraud," the advisory states. "However, we wanted to let you know about the incident so that you can take appropriate steps to protect yourself if you are concerned."