Online attack puts 1.4 million records at risk

On Tuesday, the California Department of Social Services warned the providers and recipients of the state's In Home Support Services (IHSS) that their names, addresses, telephone numbers, Social Security numbers and dates of birth may be circulating the Internet. IHSS allows individuals to get paid for providing in-home care to senior citizens.

The warning comes after an unknown attacker slipped in through a security hole in a social researcher's unsecured computer at the University of California, Berkeley, on Aug. 1, perhaps making off with 1.4 million database records containing personal information. The researcher noticed the trespass on Aug. 30 and the university notified the state in mid-September.

"We have only determined that the computer itself was accessed," said Carlos Ramos, assistant secretary at the California Health and Human Services Agency. "We haven't determined that the data was accessed."

The FBI and the California Highway Patrol--the state police agency--are investigating the incident, the California DSS stated.

The intrusion is not the first to net personal information at a university. A laptop stolen from the University of California, Los Angeles, exposed about 145,000 people's data. Last year, the Georgia Institute of Technology and the University of Texas at Austin fell prey to online attackers. The California Employment Development Department also may have exposed 55,000 names in February.

In the latest case, a UC Berkeley researcher had lawfully obtained the information as part of a research project into the effectiveness of the IHSS program. However, he had not followed policy that specified that sensitive information, such as Social Security numbers, be removed from the database.

The participants may not have known that their information would be shared, but the DSS is allowed by law to share the information for the purpose of research.

While about 1.4 million records may have been compromised, there also may have been many duplicates, Ramos said. The researcher had the initial database and several updates that brought the total to 1.4 million records, but many of the updates may have been updates of earlier personal information already in the database, he said.

The state stressed in its statement that officials had not received any information indicating that identity theft or misuse of data had occurred. However, the state also recommended that members of the IHSS program contact the three credit bureaus and place a fraud alert on their credit accounts.

A recent survey of online users found that 80 percent are concerned that someone may steal their identity. The survey, fielded by pollster Greenfield Online and security firm Entrust, found that 65 percent of respondents said increased identity protection would influence their decision in selecting a financial institution.

The California government's recommendations for potential victims of the data theft underscore how little people can do to curb the illegal use of their information. While putting credit accounts on fraud alert may make it harder to co-opt financial accounts, forget trying to change a Social Security number, the DSS stated.

"There are drawbacks to doing so, since it may result in losing your credit history, your academic records and professional degrees," the department said in a statement. "The absence of any credit history under a new SSN would make it difficult to get credit, continue college, rent an apartment, open a bank account, get health insurance... In most cases, getting a new SSN would not be a good idea."