University of California, Berkeley issued a statement Thursday
detailing the security breach of a computer database containing
sensitive information on about 600,000 people.
Though Berkeley officials became aware of the breach in security
in early September, the two-page statement did not address the
reasons why campus officials did not announce the incident to the
public until Oct. 20.
Janet Gilmore, a Berkeley spokeswoman, declined to comment
beyond what was contained in the press release. It is still unclear
what steps could have been taken to prevent the intrusion and what
security standards for Berkeley are set to be implemented in the
spring that are mentioned in the release.
The California Department of Social Services announced Tuesday
that a hacker gained unauthorized access in early September to a
Berkeley database containing names and social security information
for in-home care providers and recipients. Though the hacker had
access to this information, investigators do not know whether any
personal data was actually acquired.
The breach occurred when a visiting scholar from Connecticut
College used a Berkeley database containing sensitive information
as part of her research project on provider pay and quality of
in-home health care, according to the press release.
The cause of the breach was “related to linking a non-UC
Berkeley computer and non-UC Berkeley server to the campus network
system without taking proper precautions against intrusion,”
the statement stated.
It went on to say campus systems at Berkeley, and particularly
databases with sensitive information, will be scanned for problems
by campus network security officials until the implementation of
unspecified higher security standards this spring.
“Campus network security officials spotted and confirmed
the Department of Social Services database breach in early
September,” according to the statement.
The campus, along with the Department of Social Services, the
FBI and officials from Connecticut College, the visiting
student’s home school, met on Sept. 27 to address the
security breach.
UCLA also has databases containing sensitive information, but
university officials do not believe the information is at serious
risk of being accessed by unauthorized persons.
UCLA has a four-pronged approach to prevent such a rift in
security: awareness of the problem, minimizing storage of sensitive
data, security software ““ such as firewalls and anti-virus
programs ““ and policy, said Kent Wada, director of UCLA
Information Technology Policy.
“Campus local policy prohibits storing this kind of
sensitive data on portable media,” Wada said, calling
portable items such as laptop computers “convenient but easy
to lose.”
As far as the incident at Berkeley goes, “I don’t
think we’re going to do anything different (at UCLA), but
hopefully it will make people more careful,” Wada said.
The likelihood of a similar event happening at UCLA is slim but
still possible, said Eric Splaver, director of College Information
Services.
“There’s an awful lot of smart people out
there,” Splaver said.
He said as much as possible, UCLA tries not to use social
security numbers. In some areas such as payroll it is necessary,
but the campus mainframe and the registrar’s office use
masked social security numbers.