State officials warned California residents Wednesday to take preventative
steps against ID theft after an unknown hacker gained access to a database
at the University of California, Berkeley.
The files contained approximately one million names, addresses, telephone
numbers, Social Security numbers and dates of birth for participants in
California’s In Home Supportive Services (IHSS), a social services program
for disabled and low-income elderly residents.
A researcher working at UC Berkeley used the data on program participants
for research on the IHSS program, and authorization to use the personal data
was obtained from the California Department of Social Services (CDSS).
According to the CDSS, the investigation into the unauthorized access has
not determined whether the hacker acquired any personal data.
“To date, we have not received any information indicating that identity
theft or that any misuse of data has occurred,” a CDSS advisory warning
stated. “Accordingly, CDSS is sending out this advisory as a precautionary
Under a state privacy law passed last year, California companies and state
agencies are required to issue warnings when individuals’ personal data may
have been compromised.
Both the California Highway Patrol and the FBI are investigating the
incident. The UC Berkeley IT staff discovered the hack on Aug. 30 using
intrusion detection software. According to UC Berkeley officials, the
intrusion took place on Aug. 1.
Carlos Ramos, an assistant secretary at CDSS, told the media Wednesday the
compromise occurred by exploiting a vulnerability in the commercial database
software used by the researcher. Ramos said investigators do not yet know if
the attack was a targeted effort or if the hacker intruded after scanning
machines running the vulnerable software.
In the advisory warning to California residents, CDSS officials urged those
concerned about the possibility of ID theft related to the intrusion to
obtain and review a current credit report.
“The fact that someone may have had access to the database doesn’t mean you
are a victim of identity theft or that they intend to use the information to
commit fraud,” the advisory states. “However, we wanted to let you know
about the incident so that you can take appropriate steps to protect
yourself if you are concerned.”