The University of California, Los Angeles alerted 800,000 people today that their personal information may have been compromised after discovering that hackers have been exploiting an undetected security hole in a database for more than a year.
The database contains personal information about current and former students, faculty and staff, applicants and parents of students or applicants who applied for financial aid.
UCLA discovered the breach on Nov. 21 and immediately blocked access to Social Security numbers stored in the database. It also notified the FBI, which is conducting an investigation on the incident.
"In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications," said Jim Davis, UCLA's chief information officer and associate vice chancellor for information technology. "We deeply regret the concern and inconvenience caused by this illegal activity. We have reconstructed and protected the compromised database and launched a comprehensive review of all computer security measures to accelerate systematic enhancements that were already in progress."
Some security experts weren't convinced that the university effectively tried to prevent the hack.
"This is another example of the silent epidemic we are seeing right now," J.J. Schoch, director of marketing at Panda Software Labs told SC Magazine today. "Viruses used to be very noisy, but now it is all about organized crime looking to make money very quietly. This illustrates the need for strong intrusion prevention - it is not whether you are attacked by malicious code, but whether there is malicious behavior happening. A good security solution could probably have notified them almost immediately that something was going on."
UCLA Acting Chancellor Norman Abrams informed affected individuals that the hacker accessed personal information of some of those in the database, but the university has no evidence that any data has been misused.
"We take our responsibility to safeguard personal information very seriously," Abrams said. "My primary concern is to make sure this does not happen again and to provide to the people whose data is stored in the database important information on how to minimize the risk of potential identity theft and fraud."
Click here to email Ericka Chickowski.