UCLA Warns of Unauthorized Access to Restricted Database
UCLA is alerting approximately 800,000 people that their names and certain personal information are contained in a restricted database that was illegally and fraudulently accessed by a sophisticated computer hacker.
This database
contains certain personal information about UCLA's current and some former
students, faculty and staff, some student applicants and some parents of
students or applicants who applied for financial aid. Approximately 3,200 of
those being notified are current or former staff and faculty of the
In a letter being sent to affected individuals, Acting Chancellor Norman Abrams said that personal information about at least some of the individuals was obtained by the hacker but that there is no evidence that any data has been misused. The database includes names, Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information.
"We take our responsibility to safeguard personal information very seriously," Abrams said. "My primary concern is to make sure this does not happen again and to provide to the people whose data is stored in the database important information on how to minimize the risk of potential identity theft and fraud."
UCLA blocked access to the Social Security numbers and the database when suspicious activity was detected on Nov. 21 and immediately activated its information technology security incident team. UCLA also notified the FBI, which is conducting an investigation.
Even though UCLA's ongoing investigation at this time indicates only that the hacker sought and obtained some of the Social Security numbers, out of an abundance of caution, the university decided to notify all 800,000 people whose names are listed in the restricted database.
"Ensuring data security is one of the most important responsibilities we have to the campus community, and in recent years we have significantly strengthened our information security practices in response to increasing attacks. In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications," said Jim Davis, UCLA's chief information officer and associate vice chancellor–Information Technology. "We deeply regret the concern and inconvenience caused by this illegal activity. We have reconstructed and protected the compromised database and launched a comprehensive review of all computer security measures to accelerate systematic enhancements that were already in progress."
UCLA began sending notification letters and e-mails on Dec. 12, as soon as possible after determining that personal data was potentially accessed and after retrieving individual contact information. The letters suggest that recipients contact credit reporting agencies and take steps to minimize the risk of potential identity theft.
To provide information and respond to queries, UCLA has established a Web site, http://www.identityalert.ucla.edu, and a toll-free call center, (877) 533-8082.
For the past decade, UCLA has been systematically upgrading computer security but had not yet identified the vulnerability maliciously exploited by the computer hacker. During this time, UCLA installed and strengthened firewalls and intrusion-detection systems, removed Social Security numbers from computer screens and written reports, and prohibited their storage on portable devices, among other steps.
The UCLA incident is the latest in a string of computer security breaches affecting financial institutions, universities and other large employers. State law requires notification when personal data is reasonably believed to have been acquired.
-UCLA-
OMR558