Security staff made the discovery on Nov. 21. The university said an attacker exploited an undetected software flaw in the restricted database over a period of one year, between October 2005 and November 2006. The database contained names, Social Security numbers, dates of birth, home addresses and other contact information, the university said.
"UCLA is notifying all of those individuals in the database, even though a continuing investigation indicates that the computer trespasser sought and obtained only some of the information," according to a statement issued by the university in an alert posted on its Web site. "There is no evidence to suggest that personal information has been misused."
When the discovery was made, security staff immediately blocked access to Social Security numbers and began an investigation, said Norman Abrams, the university's acting chancellor, in a letter sent to potential victims. Abrams said the university also notified the FBI, which is conducting its own investigation.
"While the university currently utilizes sophisticated information security measures to protect this database, several measures that were already underway, have been accelerated," Abrams said.
Data breaches have been making headlines in 2006. According to a list posted by the watchdog group, Privacy Rights Clearing House, dozens of breaches have taken place in recent months. While, the UCLA breach was one of the largest involving a U.S. higher education institution, businesses have been grappling with data protection and notification of breaches.
In August, AT&T notified about 19,000 customers that their personal data was compromised after digital miscreants hacked one of its computer systems and gained access to credit card information and other personal data. In late 2005, a timeshare unit of Marriott International Inc. notified over 200,000 customers that a data on backup tapes were stolen.