Breach at UCLA exposes data on 800,000

Computerworld - The University of California, Los Angeles, today began sending out letters to more than 800,000 individuals whose personal information may have been compromised in a database breach that remained undetected for more than a year.

A statement posted on the university's Web site said that intruders appear to have taken advantage of a previously "undetected software flaw" in one of its "hundreds" of software applications to gain access to the restricted database. Attempts to access the database have apparently been going on since October 2005, according to the statement.

The breach was discovered on Nov. 21 this year, when the university's computer security technicians noticed an "exceptionally high volume of suspicious database queries," the statement read. "An emergency investigation indicated that access attempts had been made since October 2005 and that the hacker specifically sought Social Security numbers," said Jim Davis, the university's CIO and associate vice chancellor of IT, in the statement. The FBI was notified of the breach.

The breached database includes the names, Social Security numbers, dates of birth and addresses of current and former faculty, staff and students and, in some cases, the parents of students at the university.

"We deeply regret the concern and inconvenience caused by this illegal activity," Davis was quoted as saying. He added that the university has since "reconstructed and protected" the breached database. He did not specify what measures the university has taken to mitigate the problem.

Although the hacker may have obtained personal information on some of the individuals, there is no evidence that the data has been misused, said Acting Chancellor Norman Abrams in the statement.

University officials could not be reached immediately for further comment.

That the breach remained undetected for more than a year is troubling but not entirely surprising, especially in a university environment, said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. There is still a widely held misperception that monitoring and auditing databases for security breaches imposes a "ridiculous penalty on performance," he said. As a result, many organizations fail to keep an eye on their databases and miss breaches of the sort that happened at UCLA, he said.

"I don't think the performance argument carries a lot of weight, but it is an argument that people often use" for defending their decision not to monitor database activity, Jaquith said.

Another problem with database activity auditing is that it can generate huge amounts of data, said Ron Ben-Natan, chief technology officer at Guardium Inc., a vendor of database security products. So people tend to tune it down and use it only to detect certain very specific types of activities, such as privilege escalation, he said. In the process, they could miss other potential security violations, he noted.