One year after a breach of a university database compromised students’ personal information, UCLA officials say they are continuing to track the case and bolster security.
In December 2006, administrators alerted the campus community that a hacker had accessed a UCLA database containing the names and Social Security numbers of over 800,000 current and former students, as well as faculty and staff members.
Though the database did not contain students’ credit card or bank information, the hacker did appear to have accessed some Social Security numbers, which can be used to steal a person’s identity.
An ongoing investigation has found no evidence of identity theft resulting from the breach, though affected students should still be vigilant, said Jim Davis, associate vice chancellor for information technology.
Since the incident, university officials have worked to protect students’ Social Security numbers, Davis said.
UCLA needs Social Security numbers for financial aid purposes, since they need to report information to the Internal Revenue Service. But Davis said administrators have minimized the use of Social Security numbers since the breach.
“We’ve found a number of places where we can limit and even eliminate the use of Social Security numbers,” he said.
He added that in cases where the university does not need to report to the IRS, officials can often use other identifiers for students, such as the last four digits of a Social Security number rather than the full number.
Applicants to the university must submit their Social Security numbers, but those numbers are deleted after two or three years, Davis said. Still, at any given time university databases contain around 200,000 current and former applicants’ Social Security numbers.
UCLA has also continued its investigation into the security breach and over the past year was able to unearth additional details, Davis said.
He said the investigation determined that the hacker gained access to 28,600 Social Security numbers, and those people were sent additional notifications.
Over 18,000 of those numbers came from students’ financial aid applications submitted between 2002 and 2006, according to a letter from then-acting Chancellor Norman Abrams.
UCLA has also been working with the FBI, and investigators were able to trace the hack to a foreign country, though there are no suspects.
Davis emphasized that the hack was extremely sophisticated, which makes it more difficult to track.
So far, the hacker does not appear to have actually used any of the Social Security numbers, though Davis said that is still a possibility.
“We continue to be careful and monitor this,” he said. “Social Security numbers are (sometimes) held for several years and then used.”
Lowell Kepke, deputy director for the Social Security Administration in San Francisco, said Social Security numbers can be used to open credit in someone else’s name, so potential victims should be on the lookout for any odd credit card or bank activity.
“Check credit card statements to make sure all the charges are really yours,” he said. “If someone gets a specific sign that somebody’s taken their Social Security number and is really using it, call credit card companies, banks, and call the three credit agencies (to alert them to the fraud).”
Kepke added that everyone is entitled to one free credit report per year, available online at freecreditreport.com, a Web site that can reveal whether there has been any fraudulent activity.
In the wake of the data breach, UCLA set up a Web site for concerned students, and Davis said university officials continue to maintain and update the site: www.identityalert.ucla.edu/index.htm.
On the Web site, Abrams encouraged affected students to place fraud alerts on their credit accounts and to alert credit agencies.
Davis also emphasized personal responsibility in preventing identity theft. Students should create non-obvious passwords, at least six characters in length, and should never give out personal information.
He added that the university employs virus scanning to combat security issues.
“One of the most important ways servers get infiltrated is by viruses,” he said, adding that some key-logging viruses are able to record passwords and other information typed onto a computer. “Generally speaking the machines on campus are monitored (for viruses) pretty carefully.”
But he noted that security is an ongoing issue for any large university or company.
“We are continually under attack,” he said. “We are continually probed for vulnerability … in the high tens of thousands (of attempted hacks) per day. We’ve had some scares.”