UC Berkeley Says Hackers Breached Database
Page 1 of 2
Officials at the University of California at Berkeley on Friday began notifying students and the public that hackers had breached a healthcare database at the school, potentially gaining access to the personal information of up to 160,000 students dating back to 1999.
Complicating matters: The breach is thought to have initially occurred months ago, on Oct. 9, 2008. Administrators said they didn't notice it until April 9, 2009, however.
After an investigation by the university's security team as well as local law enforcement and the FBI, the university began alerting the public about the breach, it said. University officials also said the exact number of people affected is difficult to determine at this time as the database had some duplicate records.
While the database did not contain actual diagnoses, it did contain such valuable data as social security numbers, they said.
It's the latest high-profile black eye for networking security. While public companies continue to pay for security breaches, recent news shows public entities such as government and educational institutions such as the State of Virginia, the FAA, and the University of Utah are also suffering.
In the UC Berkeley breach, hackers were likely after the social security numbers, one expert said.
"I don't think people want to get fraudulent access to healthcare," said David Perry, global director of education for security company Trend Micro, told InternetNews.com. "It's the social security numbers. That's pretty much the only re-sellable item in there."
However, he added, we cannot assume that the thieves won't find some use for the limited health care data they have obtained.
The university is working hard to minimize the damage to those affected, it said. Officials set up a Data Theft Web site to inform everyone about the breach, and notified Mills College, a small institution with 1,481 total students, that any Mills students who used UC Berkeley's University Health Services (UHS) during or after 2001 also may be affected.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," Shelton Waggener, UC Berkeley's associate vice chancellor for information technology and its chief information officer, said in a statement.
"The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks," Waggener said.
In addition to trying to track down the culprits, now also begins the process of assessing the university's response, observers said.
For starters, it has to re-examine its data security methods, observers said.
"Everybody needs a crash course in what is important data," said Trend Micro's Perry. "UC Berkeley is a fine institution, but that fact that someone was hacking in from October 2008 until April 2009 means someone was asleep at the switch."
Chris Petersen, CTO and co-founder of LogRhythm, agreed. "It likely means they didn't have active monitoring in place," he told InternetNews.com.
Petersen explained that databases do have vulnerabilities, but that just requires more monitoring. "You can attack the database itself or the operating system it runs on," he said. "Often, default accounts or passwords are left enabled."
Page 2: What should have been done?