CRM News: ID Security: UCLA Notifies 800,000 of Data Breach

UCLA Notifies 800,000 of Data Breach

By Erika Morphy
TechNewsWorld
Part of the ECT News Network
12/13/06 11:47 AM PT

A data breach at UCLA has compromised the personal information of as many as 800,000 people associated with the university. The hacked database contained names, Social Security numbers, dates of birth, home addresses and contact information. There are signs that at least some personal information has been obtained by the hacker, acting Chancellor Norman Abrams said.

Considering CRM solutions?
You first need to understand CRM best practices. Before committing to a CRM purchase and implementation, it's good to know the experience of those who have already "been there, done that." It can save time and prevent costly missteps. Download Free Research.

Some 800,000 people associated with UCLA have been notified that their names and certain personal information were in a database that was compromised by a hacker. The database contained personal information about current and former students, faculty and staff, and some applicants.

There are signs that at least some personal information has been obtained by the hacker, according to acting Chancellor Norman Abrams. The database includes names, Social Security numbers, dates of birth, home addresses and contact information.

Personal Information

"We take our responsibility to safeguard personal information very seriously," Abrams said. "My primary concern is to make sure this does not happen again and to provide to the people whose data is stored in the database important information on how to minimize the risk of potential identity theft and fraud."

According to the university, the hacker gained access using a software program that exploited an undetected flaw in their software.

On Nov. 21, computer security at UCLA noticed an unusually high volume of database queries. The investigation found that access attempts have been made for more than a year, beginning in October 2005. UCLA sent out notices on Dec. 12 to people who might have been affected.

Following the Steps

So far, UCLA appears to be doing everything by the book and, according to accounts, the security flaw appears to be a software problem caused by a third party vendor and not by lax internal processes, Scott Vernick, a partner with Fox Rothschild, said.

That could make all the difference if a person's data was compromised and it led to money theft. "It is conceivable that the university could be held liable if it were demonstrated that it did not take the appropriate safeguards," Vernick told TechNewsWorld.

Such a lawsuit would have a steep uphill climb. For the most part, data breaches have been punished by federal regulators, as consumers have little practical recourse in the legal system. However, as the problem worsens and more high profile thefts occur -- Vernick claimed this is probably the largest one that has occurred in an education facility -- that may change.

There were several bills pending in the last Congress about data security and notification procedures, and consumer advocates will press this issue in the upcoming session.

Federal Regulations

Thus far, more than 40 states have implemented their own notification policies. A federal law could preempt those laws, possibly lowering stringent standards in such states as California.

Meanwhile, companies are taking no chances.

"Sophisticated buyers of software and computer systems are making sure their agreements with vendors have indemnification clauses that would hold the vendor responsible for security breaches," Vernick explained. If UCLA had negotiated such a clause with its software vendor and it were to be sued by an identity theft victim, the software vendor would be the liable party.

Such agreements are becoming more commonplace across all industries, Vernick noted. "For instance, if a company uses one hotel for corporate use, that hotel likely has employee information. So, now what companies are doing when they negotiate the best rate, they are also negotiating indemnification clauses."

Next Article in ID Security

Credit Reporting: Where Privacy Really Starts
December 11, 2006

Financial institutions and retailers do little to tighten the credit rating agencies' security processes. Why? For the same reason that this group does not want to see any more states enact laws to allow people to freeze their credit. Too-stringent security policies will keep some consumers from -- gasp -- using their credit to run up even more bills.

More by Erika Morphy

Ballmer Gives Shareholders - and Dell - Cause for Optimism
November 20, 2009

Microsoft CEO Steve Ballmer was all smiles at the company's shareholders meeting, as he touted the early success of Windows 7. Ballmer's cheer may have been contagious; after posting a massive earnings decline for the third quarter, Dell needed some good news to latch onto, and the prospect of broad enterprise adoption of Windows 7 could spur PC sales.

AA.com Sucks the Fun Out of Trip-Planning
November 20, 2009

Using AA.com to book a flight was a painful experience. Densely packed, disorganized information was displayed in an unattractive format. On the plus side, it did seem as though the deals American Airlines advertised were real and not mere bait-and-switch lures. For anyone who wants a travel-planning Web site to inject a little pleasure into the experience, though, I say look elsewhere.

Salesforce.com Pumps Up Volume of Workplace Chatter
November 19, 2009

Salesforce.com has developed a collaboration platform that puts social networking to work. Salesforce Chatter facilitates employee collaboration on projects through Facebook-like profiles, status updates, feeds and groups. The question remains whether employees will be as open to social networking in the workplace as they are in their personal lives.

[Search More...]