Officials at the University of California at Berkeley on Friday began notifying students and the public that hackers had breached a healthcare database at the school, potentially gaining access to the personal information of up to 160,000 students dating back to 1999.
Complicating matters: The breach is thought to have initially occurred months ago, on Oct. 9, 2008. Administrators said they didn’t notice it until April 9, 2009, however.
After an investigation by the university’s security team as well as local law enforcement and the FBI, the university began alerting the public about the breach, it said. University officials also said the exact number of people affected is difficult to determine at this time as the database had some duplicate records.
While the database did not contain actual diagnoses, it did contain such valuable data as social security numbers, they said.
It’s the latest high-profile black eye for networking security. While public companies continue to pay for security breaches, recent news shows public entities such as government and educational institutions such as the State of Virginia, the FAA, and the University of Utah are also suffering.
In the UC Berkeley breach, hackers were likely after the social security numbers, one expert said.
“I don’t think people want to get fraudulent access to healthcare,” said David Perry, global director of education for security company Trend Micro, told InternetNews.com. “It’s the social security numbers. That’s pretty much the only re-sellable item in there.”
However, he added, we cannot assume that the thieves won’t find some use for the limited health care data they have obtained.
The university is working hard to minimize the damage to those affected, it said. Officials set up a Data Theft Web site to inform everyone about the breach, and notified Mills College, a small institution with 1,481 total students, that any Mills students who used UC Berkeley’s University Health Services (UHS) during or after 2001 also may be affected.
“The university deeply regrets exposing our students and the Mills community to potential identity theft,” Shelton Waggener, UC Berkeley’s associate vice chancellor for information technology and its chief information officer, said in a statement.
“The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks,” Waggener said.
In addition to trying to track down the culprits, now also begins the process of assessing the university’s response, observers said.
For starters, it has to re-examine its data security methods, observers said.
“Everybody needs a crash course in what is important data,” said Trend Micro’s Perry. “UC Berkeley is a fine institution, but that fact that someone was hacking in from October 2008 until April 2009 means someone was asleep at the switch.”
Chris Petersen, CTO and co-founder of LogRhythm, agreed. “It likely means they didn’t have active monitoring in place,” he told InternetNews.com.
Petersen explained that databases do have vulnerabilities, but that just requires more monitoring. “You can attack the database itself or the operating system it runs on,” he said. “Often, default accounts or passwords are left enabled.”
Page 2: What should have been done?
Page 2 of 2
Administrators need specific database security tools, according to Brian Contos, chief security strategist for data security vendor Imperva.
“You need purpose built tools designed specifically for securing sensitive data these days,” Contos said in an e-mail to InternetNews.com. Trying to secure applications and databases with network-centric solutions is like bringing a knife to a gun fight.”
Still, UC Berkeley received a passing grade when it came to responding to the breach, and Imperva’s Contos pointed out that the university’s disclosure of the hack won’t be cheap.
“For any organization, whether it’s a university or a business, it is very costly to disclose to all individuals that ‘may’ have had their records accessed,” he said.
Another expert noted that it’s no surprise that the investigation took time.
“They had to try to figure out when the breach began and what it impacted,” LogRhythm’s Petersen said. “It probably took time because they had to go to the tape backup … and it’s possible that in some cases, the data is gone.”
LogRhythm specializes in presenting log data in an easy-to-read format, and Petersen explained that it’s not an easy task. “You have to collate multiple types of log data and normalize data from different systems. We’re talking about router logs, switch logs, operating system logs, database server logs, and application log,” he said.
The university will be helped in responding by law enforcement. The FBI is beginning to learn, and is beginning to teach local law enforcement, according Trend Micro’s Perry, who is speaking on how security firms can assist law enforcement at this week’s CeCOS conference, a joint venture between the security industry’s Anti-Phishing Working Group and INTERPOL.
“I have nothing but good things to say about the FBI,” he said, pointing to the bureau’s success in last year’s Operation Bot Roast.
Perry said that taking on cybercrime is a change for the police, but they need to follow the money, because the criminals have already done so.
“Money was gold and silver, and now it is information,” he said. “Almost all the money in the world is nothing but data, but we as people are still catching up.”
Perry added that social theorist Alvin Toffler (author of Future Shock) foresaw all of this, when he wrote that we are emotionally unprepared for the rate of change of society.