UCLA Data Breach Leaves 800K At Risk

Hacker Breaks Into Computer System, Some Social Security Numbers Obtained

(CBS/AP)  Officials at the University of California Los Angeles alerted about 800,000 current and former students, faculty and staff on Tuesday that their names and certain personal information were exposed after a hacker broke into a campus computer system.

It is probably the largest breach of computer security at an American university. Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association that focuses on technology issues, told the Los Angeles Times that most problems at universities have involved breaches of departmental or other, smaller databases.

In the first six months of this year, there were at least 29 security failures at colleges nationwide, jeopardizing the records of 845,000 people, compared to about 800,000 in the UCLA breach alone.

The attacks on the UCLA database began in October 2005 and ended Nov. 21 of this year, when computer security technicians noticed suspicious database queries, according to a news release posted on a school Web site set up to answer questions about the theft.

Acting Chancellor Norman Abrams said in a letter (.pdf) to those affected, posted on the site, that while the database includes Social Security numbers, home addresses and birth dates, there is no evidence any data have been misused, although some Social Security numbers were obtained by the hackers.

The letter suggests, however, that recipients contact credit reporting agencies and take steps to minimize the risk of potential identity theft. The database does not include driver's license numbers or credit card or banking information.

The FBI is investigating, the letter says.

The database includes former students who attended UCLA in the 1990s, as well as current and some former faculty and staff at the University of California, Merced.

"You don't necessarily have to be a current or former UCLA student to be affected by this break-in. They also got information about people who applied to the university but never attended," says CBSNews.com technology analyst Larry Magid.

"We have a responsibility to safeguard personal information, an obligation that we take very seriously," Abrams wrote in the letter. "I deeply regret any concern or inconvenience this incident may cause you."

The university set up a Web site and an Identity Alert Hotline, (877) 533-8082, for those who think they may have been affected by the breach.