Hackers attack Cal database

0 Comments | Oakland Tribune, Oct 21, 2004 | by Michelle Maitre, STAFF WRITER

State and federal authorities are investigating a hacker attack at University of California, Berkeley after someone broke into a computer containing the Social Security numbers and other personal information of more than 1 million people, many of them elderly and disabled participants in a state home-care program.

The break-in appears to be the largest yet to be publicly disclosed since passage of a 2003 California law requiring companies and agencies to warn people when their personal data may have been compromised, said Joanne McNabb, chief of the state Office of Privacy Protection. While officials don't know yet if any personal information was taken, they are nonetheless urging anyone whose information may have been compromised to guard against identity theft. Investigators haven't discovered any instances of identity theft stemming from the break in. "For us the trigger point is that at least the possibly exists that the data was accessed,'' said Carlos Ramos, assistant secretary of the state's Health and Human Services Agency. "We figured it's a good precaution to put this out and let participants start looking over their credit reports and look for any suspicious activities.''The California Highway Patrol, FBI and the state Department of Social Services are investigating the incident, in which an unauthorized user accessed a computer belonging to a UC Berkeley researcher studying the state's In Home Supportive Services program. The program provides services to the elderly and disabled. The computer contained the names, addresses, telephone numbers, birthdates and Social Security numbers of 1.4 million program participants, including both those who receive the services and those who provide them. The researcher, whose name was not released, had been authorized by the California Department of Social Services to receive the information, which was part of a study looking at the correlation between providers' wages and turnover rates and the impact of turnover rates on services. Ramos said the records dated back to 2001 and many of them may have been duplicates. The hacker was able to break in using a vulnerability in the computer software being used, said Ramos, who declined to identify the software. He said the researcher was not following agreed-upon data protection measures. University officials did not return calls for comment Wednesday. The number of Alameda County residents whose information was contained in the computer was not immediately available, but county Social Services Agency spokeswoman Sylvia Myles said about 24,000 county residents participate in the in-home program. About 13,000 residents receive services through the program and another 11,000 are service providers, she said. The agency has already contacted local contractors who provide in-home supportive services and asked them to spread the word about the break in, she said. "It's just really more about the public awareness aspect,'' Myles said. "We don't have any information at this point that says the information was obtained.'' The state has created a special Web site, www.cdss.ca.gov/ihss/, whereprogram participants can receive information on the incident, as well as information on obtaining a free credit report and placing a fraud alert on credit accounts. The public can also call the state Department of Social Services toll free at (866) 404-9214 for more information. Ramos said the computer break-in occurred Aug. 1, and UC Berkeley's internal computer security unit detected it Aug. 30. The university notified the state of the breach on Sept. 21, and officials issued a media advisory on the incident on Tuesday. Ramos said it took officials a while to investigate the break-in and determine whether it was indeed an unauthorized use. "Whenever you get what looks like suspicious activity, you have to doa certain level of investigation and review to determine if there is actual intent, or if the system is reading someone trying to log on from home as an attack,'' Ramos said. Ramos was unable to comment on the status of the investigation or possible suspects. "At this point, our information is that it came from an outside source,'' Ramos said, "but again, there's an investigation under way.'' FBI media representative Tamara Neiman said she also couldn'ttalk about specifics of a pending investigation, but said the bureau generallyinvestigates issues relating to federal crimes. "Because this is potentially identity theft, we would look into it,''Neiman said. Neel Mehta, who leads X-Force, a research and development team of computer security experts at Atlanta-based Internet Security Systems, saidit can be very difficult to secure a computer network as large as UC Berkeley's. "It's very challenging,'' Mehta said. "There are things that corporations and universities can do to make it harder for hackers to break in, but with a network as large as Berkeley's, it's very hard to make it completely secure.'' Mehta said a growing number of economically motivated hackers are targeting specific organizations in hopes of obtaining others' information forpersonal gain, although he didn't have enough information on the Berkeley incident to say if it's part of that trend. "There are really two ways that hackers work,'' Mehta said. "A lot of less-skilled hackers are opportunistic, they go from machine to machine andtarget to target, and when they find one, they'll break in. But there's a second tier of hackers that know what they're looking for and know where to look for it and they're quite good at getting information.'' The Associated Press contributed to this report.Contact Michelle Maitre at mmaitre@angnewspapers.com