UCLA break-in puts data on 800,000 at risk

For more than a year, an intruder has been accessing private information on students and staff, among others, the university says.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

See full bio

Dawn Kawamoto

Dec. 13, 2006 6:53 a.m. PT

2 min read

In one of the largest known security breaches at a university, the database at the University of California, Los Angeles has been broken into, exposing the private information of about 800,000 people.

Administrators discovered November 21 that the database had been compromised, according to a letter dated Tuesday that was posted to the university's Web site (PDF here). The hacker had exploited a previously undetected software flaw and gained access to the database from October 2005 until the discovery, Norman Abrams, acting UCLA chancellor, said in the letter.

"While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers," Abrams said.

The breach affects UCLA students, staff, applicants and some students' parents. It also included information on current and some former faculty and staff at the University of California, Merced, and at the University of California Office of the President.

Sensitive information stored in the database included Social Security numbers, home addresses, dates of birth and contact information. Financial information, such as credit card numbers or bank accounts, was not housed in the database.

When the illicit activity was discovered, university staff immediately blocked access to Social Security numbers housed in the database and began an investigation, UCLA said. The database normally operates under restricted access and requires a password from authorized users, it said. In addition, the institution said it began notifying all those affected as well as the FBI, which has launched its own investigation.

UCLA's security breach is among the largest to hit a university. Earlier this year, for example, Western Illinois University suffered a hacker attack that compromised the personal information of 180,000 people, and Ohio University found three of its servers, one of which contained 137,000 Social Security numbers, had been compromised.

Last year, the University of Southern California suffered a security breach of a database containing personal information on 275,000 applicants over an eight-year period.

For a number of universities and colleges, balancing security with the free flow of information particular to institutions of higher learning is a challenge, as open computer networks can be more vulnerable than a corporate network, security experts have said.