Update: 160,000 accounts breached at UC Berkeley

Computerworld - The University of California, Berkeley (UC Berkeley) has begun notifying more than 160,000 students, alumni and others about the potential compromise of their Social Security numbers, health insurance information and other personal data, following a database intrusion at the university.

The intrusion occurred last October and remained undetected until early this April, when campus computer administrators discovered it during routine performance maintenance, the university said in a statement today.

Evidence uncovered by investigators so far suggests that the attackers took advantage of a vulnerability in a public-facing Web application to gain access to multiple databases hosted on the same server, including the one containing the sensitive information, the university said.

Those impacted by the breach are current and former UC-Berkeley students who had university health care coverage or received health services. Also impacted were parents and spouses of these indviduals if their names had been linked to the insurance coverage, it said.

Among those affected by the compromise are about 3,400 at Oakland-based Mills College who received, or were eligible to receive, health care at UC-Berkeley.

The data involved insurance coverage and details such as immunization history, medical record number and the names of providers seen. Records such as patient medical histories and treatment data were not compromised; that data is stored in a separate database.

From the university's description of the intrusion, it appears that hackers gained access to the underlying databases by exploiting a SQL injection vulnerability in a Web application, said Slavik Markovich, CTO of Sentrigo Inc., a San Mateo, Calif.-based vendor of security products. "When you have a Web application, there are only so many vulnerabilities that you have that allow you to get to the back-end database," Markovich said.

In most instances, when someone gets access to a database through a Web application it is because of either a configuration error or because of a SQL injection flaw at the database layer of the application, he said.

Once access is gained, it becomes relatively easy for a hacker to "escape from the database," gain access to the operating system and then get access to other databases or applications on the same server, Markovich said. The intrusion appears to have been a very targeted attack, he said.

The fact that it remained undetected for several months also indicates that the compromised database was not being monitored, or its logs analyzed, he said.

This is not the first time UC Berkeley has disclosed a major data breach.

In March 2005, the university had to notify more than 98,000 graduate students and applicants about the potential compromise of personal information following the theft of a laptop containing the data.

In a much larger incident in October 2004, hackers broke into a database at the school and potentially compromised data belonging to about 1.4 million recipients and providers of In Home Supportive Services related to the California Department of Social Services. The database was being used by university researchers.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.