14 DAY TRIAL // The University of California, Berkeley, is in the process of notifying 160,000 current and past students, as well as some of their parents, spouses and other people, that their personal and medical information was stolen by hackers. The data breach incident occurred between October 2008 and April this year.
Unknown attackers hacked into a publicly accessible UC Berkeley server on October 9 2008, allowing them to move deep inside the network where they accessed databases containing sensitive information. Network admins discovered the security breach on April 9 this year, three days after the hackers abandoned the systems and left taunting messages behind.
"The databases contained individuals' Social Security numbers, health insurance information and non-treatment medical information, such as immunization records and names of some of the physicians they may have seen for diagnoses or treatment," is noted in a public announcement issued by the university.
The compromised information stretches as far back as 1999. The incident also affected some 3,400 Mills College students who received health care at UC Berkeley beginning 2001. The letters that are being sent out contain information regarding protection against possible identify theft.
"The university deeply regrets exposing our students and the Mills community to potential identity theft. The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks," said Shelton Waggener, UC Berkeley's associate vice chancellor for information technology and chief information officer.
Wired reports that the theft was traced back to IP addresses in Asia, particularly China. However, past examples stand to show that this does not mean that the hackers operated from those locations. There is a significant number of vulnerable computers in China, which are constantly used by cyber-criminal groups as a conduit in their attacks.
University officials stressed that the University Health Services' (UHS) medical records, which include patients' diagnoses, treatments and therapies, were not compromised as a result of this intrusion, because that information is stored on separate systems. A 24-hour Data Theft Hotline has been set up and can be reached at 888-729-3301. Affected individuals who have more specific questions are encouraged to call the hotline.
A similar incident occurred back in October 2008 at the University of Florida's College of Dentistry, where hackers installed malicious software onto a server containing names, addresses, social security numbers, dates of birth and medical notes of over 335,000 patients dating back to 1990.