By Rebecca Trounson
Times Staff Writer
December 12, 2006
In what appears to be one of the largest computer security breaches ever
at an American university, one or more hackers have gained access to a
UCLA database containing personal information on about 800,000 of the
university's current and former students, faculty and staff members,
UCLA officials said the attack on a central campus database exposed
records containing the names, Social Security numbers and birth dates
the key elements of identity theft for at least some of those affected.
The attempts to break into the database began in October 2005 and ended
Nov. 21, when the suspicious activity was detected and blocked, the
In a letter scheduled to be sent today to potential victims of the
breach, acting Chancellor Norman Abrams said that although some Social
Security numbers were obtained by the hackers, the university had no
evidence that any of the information had been misused.
"We take our responsibility to safeguard personal information very
seriously," Abrams said in the letter, which was scheduled to be mailed
or e-mailed overnight to those whose records were compromised. "My
primary concern is to make sure this does not happen again" and to
provide information to try to minimize the risk of identity theft for
those affected, he said.
Abrams urged those whose records might have been accessed to monitor
their consumer credit files and consider fraud alerts and other
The UCLA incident is the latest in a series of computer security
breaches affecting private organizations, financial institutions,
government agencies and other large employers. Partly because of their
tradition of openness, universities are proving to be a favorite and
often vulnerable target, several experts in the field said Monday.
"Universities tend to have a lot of information floating around in a lot
of different places," said Jay Foley, executive director of the Identity
Theft Resource Center, a San Diego-based nonprofit. "They are places we
send our children to share ideas, and it's hard to mix the open sharing
of ideas with the need to tighten down on security."
In 2003, for example, a hacker at San Diego State used an outdated
computer network in the drama department to find a way into the
financial aid system. The Social Security numbers of more than 200,000
people were exposed.
Foley and others interviewed said that although there was no evidence of
any fraudulent or illegal use of the information, the UCLA breach, in
the sheer number of people affected, appeared to be among the largest at
an American college or university.
"To my knowledge, it's absolutely one of the largest," said Rodney
Petersen, security task force coordinator for Educause, a nonprofit
higher education association that focuses on technology issues. He said
most problems at universities have involved breaches of departmental or
other, smaller databases.
Comprehensive statistics on computer break-ins at colleges do not exist.
But in the first six months of this year alone, there were at least 29
security failures at colleges nationwide, jeopardizing the records of
845,000 people. Both private and public institutions have been hit. In
2005, a database at USC was hacked, exposing the records of 270,000
Petersen said that in a survey released by Educause in October, about a
quarter of 400 colleges said that over the previous 12 months, they had
experienced a security incident in which confidential information was
At UCLA, officials said Monday that the targeted database included
records for the university's current and former students, faculty and
staff, in some cases dating to the early 1990s. Others potentially
affected included some applicants during the last five years who did not
enroll at the university, as well as some parents of students or
applicants who had applied for financial aid.
About 3,200 of those being notified are current or former staff and
faculty of UC Merced and current or former staff of UC's Oakland
headquarters. UCLA handles administrative processing for both groups.
Besides names, Social Security numbers and birth dates of those
affected, the database includes home addresses and contact information,
officials said. It does not contain driver's license numbers or credit
card or banking information.
Jim Davis, UCLA's associate vice chancellor for information technology,
described the attack as sophisticated, saying it used a program designed
to exploit a flaw in a single software application among the many
hundreds used throughout the Westwood campus.
"An attacker found one small vulnerability and was able to exploit it,
and then cover their tracks," Davis said.
He said the problem was spotted when computer security technicians
noticed an unusually high number of suspicious queries to the database.
It took several days for investigators to be sure that it was an attack
and to learn that Social Security numbers were the target, he said.
Davis said the investigation was continuing, but that university
officials had decided to notify potential victims now.
"UCLA and its community are the victims of this, and despite the great
deal of effort we put into security, this really is a breach of trust
with our community," he said. "Given that we saw intent in this, we
needed to let people know."
UCLA has established a website to provide information and answer
questions about the incident at http://www.identityalert.ucla.eduand a
toll-free call center, (877) 533-8082.
Laura Eimiller, spokeswoman for the FBI's Los Angeles office, said the
agency was investigating the breach, but said she could not comment
rebecca.trounson (at) latimes.com
Subscribe to InfoSec News