Lessons from the UCLA Hack Attack

  • Share
  • Read Later
University letters to students and alumni are usually cheerful. But the University of California at Los Angeles (UCLA) [ucla.org] is now composing 800,000 embarrassing ones. The university announced Tuesday that it's notifying nearly a million members of its community — including students, faculty and alumni — that a hacker gained access to their Social Security numbers, dates of birth, home addresses and contact information. UCLA computer security technicians noticed a suspicious number of database queries on Nov. 21, and after a quick investigation, discovered that a hacker had accessed records fraudulently all the way back to October of 2005. The university blocked further access to the private data and hired a consultant to help figure out how it happened. In a letter to those who may have been victimized, UCLA's Acting Chancellor Norman Abrams noted that the data does not include credit card or banking information, but apologized. "I deeply regret any concern or inconvenience this incident may cause you," Abrams wrote.

"This is huge," says Beth Givens, director of the Privacy Rights Clearinghouse [privacyrights.org], a nonprofit consumer advocacy group based in San Diego. "It affects almost everyone who has come into contact with UCLA, and puts them at risk for identity theft." A university representative told TIME.com that the compromised data stretches back as far as 12 to 15 years, so the hack attack could affect a significant number of people beyond those presently at the university, including those who attended UCLA or worked there in the 1990s, and possibly even those who simply applied for admission or financial aid. Givens says the combination of information accessed is valuable on the black market and likely to be sold. Buyers could use the data to fraudulently apply for cell phones or credit cards. Because Social Security numbers are almost never changed, hackers could also retain and resell the information for years to come. "I hope that incidents like this will be catalysts to get companies, universities and government agencies to examine their data collection and retention policies," Givens says. "Do they really need to store Social Security members for that long, especially given the threat of identity theft?"

Jim Davis, UCLA's Chief Information Officer, who is responsible for the university's computer security policy, says UCLA had already begun removing Social Security numbers from common usage, but that some numbers remain in the university database because of financial reporting requirements. "With 20/20 hindsight, the best way to deal with this kind of situation is not to have Social Security numbers there in the first place," Davis says. "The faster we move on that, the better off we will be." He says that while those at the university are "disconcerted," there is no indication thus far that identity thieves have used any stolen data, and that while the investigation is still in process, the actual number of those affected by the hacking may be just 5% or less of the 800,000 whose data was potentially vulnerable.

The FBI has launched its own investigation of the incident, but tracking down those responsible will be a challenge. In 2005, 8.9 million Americans suffered from some type of identity theft, according to a study done by Javelin Strategy & Research for the Better Business Bureau, and few of those cases are likely to be prosecuted. Many hackers work from remote locations overseas and assiduously cover their digital tracks, and Davis says that signs thus far suggest it was not perpetrated by someone on campus. The fact that UCLA didn't discover the hack until more than a year after it began demonstrates how carefully the digital intruder conducted the attack. "Universities are particularly leaky boats," says Givens. "Their systems are highly decentralized and easily accessible by students, staff, even alumni and contractors." That makes it harder to ensure tight security. "Out of hundreds of applications, they found a small vulnerability and found a way to exploit it," Davis says. "Now the question is how the university stands up and responds."