Berkeley Hack Yields 1.4 Million SSNs

R.A. Hettinga rah at shipwright.com
Wed Oct 20 15:56:50 PDT 2004


<http://www.informationweek.com/shared/printableArticle.jhtml?articleID=50900249>



Break-In At Berkeley May Have Compromised Data Of 1.4 Million Californians

State officials say it's not clear if names and Social Security numbers
were accessed or stolen but urge individuals to take precautions against
identity theft.


By Thomas  Claburn,    InformationWeek
 Oct. 20, 2004
 URL:
http://www.informationweek.com/story/showArticle.jhtml?articleID=50900249



 California state officials revealed Tuesday that in August a hacker broke
into a University of California, Berkeley, computer containing a database
with the names and Social Security numbers of some 1.4 million Californians.

 Carlos Ramos, assistant secretary at the California Health and Human
Services Agency, said the breach occurred on Aug. 1 but wasn't detected
until the end of the month. It was reported to the state Sept. 21. He
confirmed that the California Highway Patrol and the Federal Bureau of
Investigation are pursuing the incident and that the hacker has not been
found.

 He also stressed that it has not been determined whether the information
in the database on the compromised system was actually accessed or stolen.
"Really, this announcement is a precautionary measure," he says.

 The database in question contained the names, addresses, Social Security
numbers, and dates of birth of caregivers and care recipients participating
in California's In-Home Supportive Services (IHSS) program since 2001. The
data was being used in a UC Berkeley study of the effect of wages on
in-home care and was obtained with authorization from the California
Department of Social Services.

 The Social Services Department is urging IHSS participants to follow the
recommendations of the Office of Privacy Protection, which include
contacting the three major credit bureaus in order to review their credit
reports for signs of identity theft and related fraud.

 UC Berkeley officials were not immediately available for comment.

 "It's a bit ironic," says Jonathan Bingham, president of Intrusic Inc., a
security software company focused on internal threats. "The same thing
happened to UC Berkeley back in 1998. What it highlights are a couple of
factors that are inherently flawed within the industry and within the
security profile of not just UC Berkeley but all of the organizations that
are out there today."

 The university's approach to security is focused too much on keeping
unauthorized intruders out and not enough on policing the actions of users
deemed by the system to be legitimate, Bingham contends. He points to the
fact that the intruder operated for a month before being detected as a sign
that those with access need to be watched more closely.

 "UC Berkeley has a fairly open network, as most universities do," he says.
"They want to give access to as many people as possible, especially in
their research network. When you start introducing confidential information
into open network settings, you need to have a better ability to detect
compromises."

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list