Data security breach at UCSF may have exposed thousands

The University of California at San Francisco (UCSF) has acknowledged that a possible security breach may have exposed 46,000 people to potential identity fraud.

In a statement on the UCSF Web site, the university said it has warned about 46,000 people to look for signs of identity theft, after discovering that an unauthorized party may have been able to access the personal information of UCSF faculty, staff and students by exploiting a security hole in a computer server. The personal data included names, Social Security numbers, and bank account numbers used for electronic payroll and reimbursement deposits.

The data may have been released from a server in the UC system-wide data center, the university said, adding, "The incident was identified in late March, and the server was immediately taken off-line."

"There is no evidence at this time that any specific information was accessed or acquired," Randy Lopez, co-chief information officer for the Office of Academic and Administration Information Systems, told The Associated Press.

Data security breach: Will data breach be the end of TJX? Industry experts say companies can learn from a data breach and even prosper from it. But is TJX following the right example? Data breach law could put financial burden on retailers: Legislation being considered in Massachusetts would shift the financial burden associated with a data breach onto retailers. It would be the first of its kind in the United States. PCI compliance after the TJX data breach: The massive TJX data breach reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden.

The university told those that suspect fraud to contact the UCSF police department and their personal bank and credit agencies. UCSF has also established a hotline at 415-353-8100.

Colleges and universities have been particularly susceptible to data breaches. At San Diego State University, for example, a hacker broke into the financial aid department's computer records in December 2003 and accessed Social Security numbers and other confidential information. More recently, Ohio University revamped its central IT department after data breaches there compromised personal information belonging to 137,000 people.

Jonathan Penn, an analyst with Cambridge, Mass.-based Forrester Research, said academic institutions are a popular target because there are plenty of records to go after.

"There are typically tens of thousands of students and a lot of financial information because they take out loans all the time," he said. "That makes it an attractive target."

Penn added that university networks tend to be particularly disorganized, with a lot of shared services and different departments doing their own thing with IT. His advice to academia: "Don't just have privacy as someone's third responsibility. Establish a privacy program and have someone in charge of it."

Prat Moghe, founder of Maynard, Mass.-based Tizor Systems, said the traditional university network perimeter tends to be weak, and schools have to rely more on data-level or application-level access controls that aren't as mature as they need to be.

"University security budgets are small and are an afterthought," he said. "They should be increased and CISO's should have clear authority."

Meanwhile, he said, the architecture of university security should be revamped from the inside-out, at a data level, by understanding where the most important information is stored and starting with security at that level first.

"For example, most critical data systems should be secured first, whether in financial systems, alumni systems, grading systems," he said. "Today the approach is to do incremental security from outside in which will take a very long time to show benefits."

News of the possible UCSF breach comes at a time when much of the information security community is fixated on the fallout from a data breach at TJX Companies Inc.

The Framingham, Mass.-based retail giant said last week that at least 45.7 million credit and debit cards were stolen in the breach, affecting customer information dating as far back to December 2002.

Security experts are calling it the largest data breach in history and TJX has become a symbol of data insecurity, despite extensive efforts the company has taken to improve security since the breach was discovered.

By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.