(WEB HOST INDUSTRY REVIEW) — Hackers broke into the servers used by the University of California at Berkeley (http://berkeley.edu) and Mills College, putting at risk the private information of more than 160,000 students and employees, the university announced on Friday.
In particular, the Social Security numbers of 97,000 individuals are in jeopardy, although it remains to be seen whether the criminals were able to successfully attach those SSNs to the correct names of individuals, said Shelton Waggener, UCB’s chief technology officer.
The hackers were able to bypass additional secured databases stored on the same server of the university’s public website.
Though the databases contained SSNs, health insurance information and non-treatment medical information, no medical records were stolen since they are kept in a different system, said Steve Lustig, associate vice chancellor for health and human services.
Lustig confirmed that while some data has been taken, the identities of the individuals have not.
The breach occurred from October 9, 2008 through April 9, 2009, at which point a campus computer administrator running a routine maintenance found messages left by the hackers.
Waggener said that the messages indicate that the attacks came from overseas, “primarily in the Asian theater,” with traces to China.
Both campus authorities and the FBI were immediately alerted about the intrusion, however, Waggener said that officials did not learn about the data theft until April 21.
Authorities have been investigating since then what information has been taken and who are the potential victims.
The exact methods of the hackers is still undetermined, but some experts suspect that the attackers used a SQL injection — a tactic where a malicious script is pasted into a website’s database.
Security experts are questioning why the university did not have the proper monitoring tools in place to have not detected the breach for six months, as well as why it stored data of varying levels of sensitivity all on the same server.
On Friday, the university began alerting via email and standard mail the 160,000 potential victims, which include those Berkeley students, parents, spouses, and Mills College students who used or were eligible for Berkeley’s health services.
The school also recommended the affected individuals to put a fraud alert on their credit reporting accounts, as well as set up a website and hotline for victims to answer any questions.
Though this is the university’s first case of a major server breach, a campus PC was stolen in 2005 from a Berkeley graduate admission office that held the private data on some 98,000 people.
Berkeley is now one of several world-renowned institutions that have fallen victim to major malicious attacks.
Last November, The University of Florida’s dental school announced that the private information of 333,000 people was at risk after hackers broke into its servers, while Harvard University’s Graduate School of Arts and Sciences website suffered a breach in February 2008.
No related posts.
