UC Berkeley Hack Leaves 160,000 At Identity Theft Risk

On April 21st, 2009 UC Berkley officials found that hackers had broken into their campus databases and stole student information. They apparently had gone undetected for six months as the server breach had began on October 9th, 2008. System administrators immediately activated an emergency security incident team to investigate the scope and impact of the breach after finding messages left behind by the intruders during routine maintenance.

Still unsure of the origin, they believe the attack was launched overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server.

The databases that were compromised contained individuals' social security numbers, health insurance, and even medical information. While the medical information was only limited to immunization records and not more detailed information contained in the University's Health Services medical records.

Nearly 160,000 individuals have been alerted that their information was at risk for identify theft. Emails have already been sent out to the affected individuals and what steps they should take to safe guard their personal information.

"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley's associate vice chancellor for information technology and its chief information officer. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."

Individuals affected are being asked to go to datatheft.berkley.edu and also to call the 24-hour Data Theft Hotline at 888-729-3301, to answer their questions.

"Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services. "We are deeply troubled that this breach will concern our current and former clients and want to reassure them that the medical records systems were not touched in this incident. We anticipate that the audit of our systems will inform UHS and the campus of steps that can be taken to continually improve security."