Approximately 380,000 people are being notified by UCSD of an unauthorized break-in of four computers in the UCSD Business and Financial Services Department. The computers contain personal records such as names, social security numbers and drivers’ license information of UCSD faculty, staff and students, as well as those who applied for admission to UCSD but never enrolled. Notification letters were mailed on May 5 to those who might have been affected and will continue to be sent for several weeks.
“We deeply regret that unauthorized intruders have broken into one of our computer networks, possibly compromising the personal information of students, staff, faculty and others,” UCSD Controller Don Larson stated in a press release. “Our main concern at this point is to inform people whose private information has been exposed by this illegal intrusion, provide them guidance on what steps they can take to protect themselves from potential identity theft, and also to assure them that we have taken strong and immediate steps to bolster our defenses against any future attacks.”
Although systems administrators have evidence of an intrusion, there is no evidence that the personal records were accessed. Due to the fact that many exposed records did not include contact information, UCSD has joined with the California Department of Motor Vehicles and the U.S. Postal Service to obtain contact information of potential victims.
The April 16 incident involved the unauthorized access of two computers via the Internet. Upon discovering the security breach, administrators removed the affected computers from the university network and carried out an emergency assessment of all network stations. It was found that two additional computers containing personal data had also been infiltrated.
A campuswide security task force is being assembled to determine what measures need to be taken to make UCSD secure against future cyber attacks. The breach is currently under investigation by campus police and other law enforcement agencies.
“[The investigation] has been ongoing since day one,” Larson said. “We took the computers offline and now are working with campus security experts to find steps we can take to make the system more secure and make sure this doesn’t happen again.”
Although it has been nearly a month since the system was infiltrated, those sending letters to affected parties say that the wait was needed to straighten out the details of the incident.
“We were trying to get a handle on the problem. We didn’t want to release a statement until we knew how big the problem was,” said Director of Strategic Communications Dolores Davies. “We decided to inform people when we knew about final figures and numbers. It would have been irresponsible to make a public statement before we knew exactly what was going on.”
Other universities have also recently been affected by similar problems. The University of Texas, New York University, and other California State University and UC campuses have had computer security systems that stored personal information breached.
“Unfortunately, there are thousands of people out there every day attempting to do this,” Larson said.
Frank Dwyer, the associate director for information technology at the San Diego Supercomputer Center, concurred.
“Academia is known for its culture of openness, and the free sharing of information is part of that philosophy,” Dwyer stated in a press release. “While these are clearly important qualities for an academic institution to have, universities now face the challenge of protecting vital data while preserving this culture of openness.”
Those who receive a notification letter are encouraged to visit http://idalert.ucsd.edu. The Web site includes a list of frequently asked questions and possible ways to protect oneself against identity theft. The university recommends that all individuals who have received the notice letter place a “fraud alert” on their credit card files.
Revelle College junior Caroline Lindsay has followed the safety instructions.
“I’m not sure there’s really anything more I can do at this point besides report the theft and watch my credit report,” Lindsay said. “I hope that UCSD has fixed this, because it’s a pretty scary thing when someone can hack into the system … It just makes you realize how vulnerable you are when everyone’s identified by their credit card and social security numbers.”
Revelle junior Jenny Kaser said she wasn’t too worried.
“If people with bad intentions get their hands on that information, it can’t be good. However, to me it seems like they were just using the access for storage space and nothing more,” she said. “The school has taken the necessary precautions to notify people and tell them what to do about it. I called the credit agency, and it was easy to set the fraud alert.”