UC Berkeley confirms data breach affecting 160,000 people

Berkeley (CA) – The University of California, Berkeley, confirmed that hackers accessed databases containing critical personal data of about 160,000 individuals. Those affected are informed now, but the damage may already be done – the breach began on October 9, 2008, and continued until April 9, 2009.

UC Berkeley representatives said they began notifying students on May 8, stating that Social Security numbers health insurance information and non-treatment medical information, such as immunization records and names of some of the physicians they may have seen for diagnoses or treatment have been accessed and possibly extracted. The university said that the hackers did not access University Health Services’s (UHS) medical records, which include patients’ diagnoses, treatments and therapies.

In total data of about 160,000 individuals was accessed. The victims of this crime are current and former UC Berkeley students, as well as their parents and spouses, if linked to insurance coverage. Also affected are 3400 Mills College students who received, or were eligible to receive, health care at UC Berkeley. The data for UC Berkeley students, alumni and their parents date back to 1999. The information involving Mills College former and current students dates back to 2001. Every individual affected may be at risk of identity theft.  
UC Berkeley said that the server breach began on October 9, 2008 and continued until April 9, 2009, when campus computer administrators performing routine maintenance identified messages left by the hackers. When discovered, administrators used an “emergency security incident team” to investigate the scope and impact of the breach. Apparently, the attack was launched by hackers based overseas. “The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server,” UC Berkeley said.

“The university deeply regrets exposing our students and the Mills community to potential identity theft,” said Shelton Waggener, UC Berkeley’s associate vice chancellor for information technology and its chief information officer. “The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks.”

The university recommended individuals whose names and personal data were stolen to place a fraud alert on their credit reporting accounts. The campus has set up a website, datatheft.berkeley.edu, to assist these individuals with contact information for key resources.