The identity alert site at UCLA has some late breaking news:
A sophisticated computer hacker has illegally and fraudulently accessed a restricted UCLA database containing names and certain personal information. This database includes UCLA’s current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing.
UCLA is notifying all of those individuals in the database, even though a continuing investigation indicates that the computer trespasser sought and obtained only some of the information. There is no evidence to suggest that personal information has been misused.
That’s a lot of data. Wonder if these big schools are considering breaking apart and isolating repositories in order to reduce the value of assets exposed by a single breach.
Did they really have to say “sophisticated” hacker? That seems to differ in tone from the detail in a breach notification message, distributed today:
Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.
So which was more sophisticated, the hacker or the information security measures?
Unaccelerated measures. I know how that goes. Upper management often says “I know it’s required for compliance, and it sounds great, but can we do it later?” Costs more to do things late, but even more to do things late and fast. It’s hard to know where you need to accelerate the most if your budget isn’t able to cover all the lost time.
At the end of their email message is the following warning and advice:
This is an automated message regarding the recent identity alert at UCLA. We’re sorry, but we are unable to respond to emails. Please do not reply to this email. If you have questions or concerns and would like to speak with someone, please call (877) 533-8082. For additional information and steps to take, please go to the dedicated website at http://www.identityalert.ucla.edu.
Hard to tell if they do not want to respond to email because of the liability, vulnerability/compromise issues, or because phone line bandwidth tends to be far inferior to the unlimited capacity of email queues so they hope to throttle-down the amount of complaints coming into their inbox.
The letter also wisely points out that they will not be requesting any information from the victims:
Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to release any personal information in response to inquiries of this nature.
I’m sure more details will emerge over the next few days.