UC Berkeley officials announced Friday that Social Security numbers and other identification had been hacked from restricted university health services databases, putting students at risk of identity theft.
The security breach, which campus officials said began in October last year, was discovered by university administrators during a routine maintenance check April 9, spurring a criminal investigation by UC police detectives and the FBI.
Steve Lustig, UC Berkeley’s associate vice chancellor of health and human services, said a log entry had indicated the illegal access, but added that the hackers had not stolen medical records, which are stored in a separate system unaffected by the crime.
“We give the highest priority to medical records,” he said. “We have appointed a team to evaluate millions of log entries to see what has been breached and to contact people whose information has been stolen.”
Lustig said that in some cases, students’ names had been directly associated with Social Security numbers.
The electronic databases contained personal information belonging to some university health services clients and their parents or spouses. Additionally, campus officials said “the hackers may have stolen information related to students’ health insurance coverage and some of their non-treatment medical information, such as Hepatitis B immunization histories, health services medical record numbers, dates of visits or names of providers seen, or for participants in the Education Abroad Program, certain information from the self-reported health history.”
He said that financial information, such as students’ bank account and credit card numbers, had not been affected.
One hundred and sixty thousand students were alerted about the incident Friday morning, of which 97,000 had their Social Security numbers illegally accessed.
“We sincerely regret and apologize for any difficulty that this theft may create for you,” Lustig and Shelton Waggener, the university’s associate vice chancellor and chief information officer, said in an e-mail sent to students at 9:43 a.m. Friday. “We have alerted campus police detectives and the FBI, and we are doing all that we can to investigate this crime. We are also dedicated to assisting you with information about the incident and services that can help prevent or minimize the impact this theft may have on you.”
Waggener said the breach was confirmed April 21 and had “occurred as a result of hackers using the system very surreptitiously.”
He said the data thefts began on Oct. 9, 2008, and continued until April 6. As soon as the first activity was detected by authorities three days later, all the exposed databases were immediately removed from service to prevent future attacks.
In order to understand the nature of the security breach and to minimize the chances of a recurrence, Waggener said the university had hired technical experts and an internal auditor, Price Waterhouse Coopers, to help with the investigation.
“With this incident, UC Berkeley has joined a fraternity of institutions that have been victims of criminal attack,” Waggener said. “This deviant act came from outside the campus. The attackers accessed a public website and bypassed additional secured databases stored on the same server.”
As for why the breach had not been identified earlier, Waggener said it was something that could be identified only while checking a log entry.
“There were tell-tale signs,” he said. “The hackers had left messages to system administrators taunting them. This sort of thing is very common.”
Waggener said he didn’t know whether the messages—which the university is not releasing because of the ongoing investigation—can be traced. He said that the IP addresses of the hackers originated in Asia, one of them in China.
“These types of crimes are now global in nature. It’s not being done by a teenager down the street,” he said.
UC Berkeley has spent more than $5 million in the past to protect its servers from hackers, campus officials said.
The university has set up a website, www.datatheft.berkeley.edu, to assist with contact information for key resources, and has established a 24-hour Data Theft Hotline (1-888-729-3301) to answer questions. The university advises those affected to place a fraud alert on their credit cards.
Waggener said that although lots of people were calling the hotline to get information, no one had yet identified themselves as a victim of identity theft.