bit-tech.net

Breach at Berkeley hits 160,000

Published on 11th May 2009 by Gareth Halfacree

The computer at UCB's Health Services Centre was penetrated by crackers who stole data on 160,000 individuals over a period of six months.

Hackers have made off with data held on the Berkeley Health Services Centre's computer at the University of California, comprising more than 160,000 people's personal information.

According to an article on CNet, the university announced the security breach on Friday – and warned that at least 97,000 Social Security Numbers were among the data access by the attackers.

The crackers were able to delve deep into the system by exploiting a flaw in a publicly accessible website, allowing them access to supposedly secured databases held on the same server. During the time the crackers had access to the system – which the university believes could go back as far as October 9th 2008 – they will have had unfettered access to health insurance information on around 160,000 past and present students and staff at the university.

While personal information – including social security numbers, addresses, and immunisation records – was included in the data accessed, associate vice chancellor for health and human services Steve Lustig is quick to point out that no actual medical records were held on the system.

The attack would appear to be similar to that suffered by job hunting site Monster.com earlier this year, and most likely for the same aim: to hijack personal data to aid in identity theft. Accordingly, the university is currently in the process of setting up a helpline for those affected, along with advising the 160,000 people with data held on the system to set up fraud alert reporting on their bank accounts.

While the attack is still under investigation – both by the campus security services and by the FBI – many questions are likely to be asked as a result: not least of which will by why it took so long for the attack to raise an alarm.

Should the University of California at Berkeley be offering to compensate individuals affected by this breach, or should their efforts go into upgrading their security so that something like this never happens again? Share your thought over in the forums.

8 Comments

Discuss in the forums Reply

Dreaming 11th May 2009, 12:20

If any student fell foul of any schemes because of this it would seem (I am no lawyer though) that absolutely Berkeley is liable as it was their responsibility to keep the data safe and any loss incurred would be a direct result of their failure to fulfill this responsibility. If you put your money in the bank and the bank got robbed you would fully expect the bank to compensate you because they failed in their responsibility to protect your money.

p3n 11th May 2009, 12:48

Wonder if it was a 'real' hack or SQL injection type script kiddies Oo

thehippoz 11th May 2009, 13:32

ouch

fodder 11th May 2009, 13:35

*OFF TOPIC*

[QUOTE=...If you put your money in the bank and the bank got robbed you would fully expect the bank to compensate you because they failed in their responsibility to protect your money.[/QUOTE]

But apparently ok if they lose it in idiotic dodgy dealing. :-)

(Sorry, couldn't resist)

Faulk_Wulf 11th May 2009, 16:51

Quote:

While personal information – including social security numbers, addresses, and immunisation records – was included in the data accessed, associate vice chancellor for health and human services Steve Lustig is quick to point out that no actual medical records were held on the system.

Oh yes because the SSN and Addresses are trivial information.

Of WHAT use would one person's medical records be to another?
"Oh I see here, two years ago, you has pneumonia."
Am I missing something here or is this guy an idiot?

fodder 11th May 2009, 17:47

Faulk. there are some medical things people wouldn't like public. This introduces blackmail or coersion (sp?) possibilities. I don't think a bout of clamidia is a nice thing to have publicly advertised, nor is a previous history of treatment for drug addiction. Or worse, maybe bi-polar disorder controlled with medication. This would be a perfectly normally functioning person having their life disrupted if the information were used outside of their medical treatment.

knutjb 11th May 2009, 18:27

At least they have brought in the FBI. Many entities try to keep computer transgressions under wraps to protect their "Image". The FBI has been frustrated from mostly the corporate world by not reporting the attacks. They have the ability to connect attacks to other attacks and track down for criminal prosecution, something a company cannot do.

B3CK 12th May 2009, 06:53

ya, I would be a bit perturbed if they required my information, then allowed it to be taken. I would go for a years paid identity theft service, and if anyone did try to use it during the first year then an additional 3 yrs should be provided, paid for by the company that lost the data. I think they should be more embarrassed by the fact that this is the same university that developed BSD. right?