The state of California has warned residents that their personal data may have been stolen from computers at the University
of California, Berkeley, after a database used by researchers there was compromised by hackers.
The California Department of Social Services (CDSS) issued a media advisory on Tuesday, saying that the agency was working
with the U.S. Federal Bureau of Investigation to investigate an intrusion on a computer at Berkeley that contained personal
information on around 1.4 million recipients and providers of In Home Supportive Services (IHSS), which provides home-care
services to low-income elderly and disabled Californians. Names, addresses, telephone and Social Security numbers, as well
as the birth dates for IHSS participants, could have been stolen by the malicious hackers, according to Carlos Ramos, assistant
secretary at CDSS.
The state agency gave Berkeley the IHSS data, which was stored on a machine at the university, for research on the CDSS program.
If stolen, the information could be used to fake the identity of IHSS recipients.
The compromise occurred on Aug. 1 and was discovered on Aug. 30 by Berkeley IT staff using intrusion detection software, Ramos
said.
According to Ramos, investigators know a malicious hacker exploited a vulnerability in "commercially available database software"
and compromised the computer, but they don't know if the attack was targeted, speculating that malicious hackers possibly
discovered the system by scanning for machines running vulnerable versions of the database software.
While evidence indicates that none of the database's information has been misused, IHSS recipients were encouraged to obtain
a credit report and make sure that they were not identity theft victims, the CDSS said in a statement.
A database of personal information on elderly and infirm people would be an attractive target for identity thieves, who may
lack the technical sophistication to defend themselves against identity theft, and may even be unaware the IHSS database stored
their data, said Jonathan Bingham, president and founder at Intrusic Inc., a Waltham, Massachusetts, company that makes software
for spotting suspicious activity on computer networks.
"You take somebody who's elderly and hasn't had experience with computer networks, they're not going to get it," Bingham said.
Without adequate forensic information, investigators face a daunting task in reconstructing the intrusion and determining
whether the IHSS database was compromised, let alone finding the culprits, he said.
"The problem isn't that the system was attacked but that it wasn't discovered for a month," Bingham said.
In the meantime, the CDSS asked Berkeley to return the IHSS data and will investigate whether the researcher adhered to an
agreement to protect the personal information in the database. The department will also review other researchers' work to
make sure they are adhering to data protection guidelines, Ramos said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
