Hacker exploits UCLA database

By Robert Westervelt, News Editor 12 Dec 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security staff made the discovery on Nov. 21. The university said an attacker exploited an undetected software flaw in the restricted database over a period of one year, between October 2005 and November 2006. The database contained names, Social Security numbers, dates of birth, home addresses and other contact information, the university said.

Data breach: Survey: Data breach costs surge AT&T breach affects 19,000 customers Complying with breach notification laws Be afraid of the catastrophic data breach Breach prevention: Adding security to the purchasing process When access management becomes rocket science

"UCLA is notifying all of those individuals in the database, even though a continuing investigation indicates that the computer trespasser sought and obtained only some of the information," according to a statement issued by the university in an alert posted on its Web site. "There is no evidence to suggest that personal information has been misused."

When the discovery was made, security staff immediately blocked access to Social Security numbers and began an investigation, said Norman Abrams, the university's acting chancellor, in a letter sent to potential victims. Abrams said the university also notified the FBI, which is conducting its own investigation.

"While the university currently utilizes sophisticated information security measures to protect this database, several measures that were already underway, have been accelerated," Abrams said.

Data breaches have been making headlines in 2006. According to a list posted by the watchdog group, Privacy Rights Clearing House, dozens of breaches have taken place in recent months. While, the UCLA breach was one of the largest involving a U.S. higher education institution, businesses have been grappling with data protection and notification of breaches.

In August, AT&T notified about 19,000 customers that their personal data was compromised after digital miscreants hacked one of its computer systems and gained access to credit card information and other personal data. In late 2005, a timeshare unit of Marriott International Inc. notified over 200,000 customers that a data on backup tapes were stolen.

Tags: Identity Theft and Data Security Breaches,  Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary