Watch CBSN Live

Cal Hack Attack Probed

Authorities are trying to determine how a hacker gained access to a University of California computer that contained personal information for up to 600,000 state residents.

The FBI, the California Highway Patrol and the California Department of Social Services have not determined whether any personal data was taken, but officials said they have not seen any evidence of identity theft.

The computer contained home addresses, telephone numbers, dates of birth and Social Security numbers of people enrolled in In-Home Supportive Services, a state and federally funded program to assist elderly and disabled California residents.

State officials recommend that the program's recipients and providers who could be in the database notify major credit bureaus that their information may have been compromised.

A researcher at the university's Berkeley campus was authorized to work with the data. Berkeley officials said the records of up to 600,000 people were involved.

Carlos Ramos, assistant secretary for the California Health & Human Services Agency, said the researcher had not followed agreed-upon data protection measures.

U.C. Berkeley spokesman George Strait said the campus is doing what it can to prevent such breaches.

"We all wish that computer security was 100 percent, but in this high-tech world that we live in there are lots of people out there who like to test the systems," he said.

The hacking occurred Aug. 1 and was detected by campus officials Aug. 30. Ramos said the state was notified on Sept. 21, and his department issued an advisory Tuesday.

Strait said it took campus information technology workers some time to investigate the scope of the attack, but "as soon as we discovered that there was a breach, we acted expeditiously to inform the people involved."

A 2003 California law requires companies and agencies to warn people when their personal data may have been compromised.

Ramos said officials decided to disclose the breach as a precaution. He said the law doesn't force disclosure unless it is determined a database has been downloaded.

Chris Jay Hoofnagle, associate director of the nonprofit Electronic Privacy Information Center in Washington, D.C., said reports of security breaches have become more frequent since passage of California's disclosure law.

"The California law has given the public a window into a very serious problem of information security," Hoofnagle said. "About once a month now, we hear about a very major information privacy breach as a result of this law."

View CBS News In