Forgot your password?
typodupeerror
Privacy Data Storage Education Security News

Break-In Compromises 160k Medical Records At UC Berkeley 167

Posted by timothy
from the no-ivy-league-nudes-on-file-at-berkeley dept.
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
This discussion has been archived. No new comments can be posted.

Break-In Compromises 160k Medical Records At UC Berkeley

Comments Filter:
  • by silver007 (1479955) on Tuesday May 12, 2009 @01:05PM (#27924101) Journal
    Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.
  • by commodore64_love (1445365) on Tuesday May 12, 2009 @01:06PM (#27924129) Journal

    Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.

    If you don't have these accounts, you won't be vulnerable to monetary or identity theft.

  • Re:Duh.. (Score:5, Interesting)

    by cayenne8 (626475) on Tuesday May 12, 2009 @01:21PM (#27924359) Homepage Journal
    This is a reason why they have to pretty much pull teeth from me, in order for me to give my SSN to any one or any entity that is not related directly to SSN monies and benefits.

    I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".

    The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

  • by Drakkenmensch (1255800) on Tuesday May 12, 2009 @01:26PM (#27924439)
    Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...
  • by odin84gk (1162545) on Tuesday May 12, 2009 @01:34PM (#27924539)
    When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
  • Re:And... (Score:2, Interesting)

    by davidwr (791652) on Tuesday May 12, 2009 @01:36PM (#27924579) Homepage Journal

    I once read an article about a "right" way to secure data. Even the authors admitted it wasn't foolproof but there point was, it was a lot more secure than what most people are using.

    Every externally-facing computer was on its own sub-network, mostly isolated from everything else. Web sites, ftp sites, even wireless access points. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

    Portions of the "corporate" network that didn't need to see each other were partitioned.

    Internal web servers were in their own partition. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

    When data needed to go from one part of the network to another, say, from an external or internal web site to a data server or from an employee data to an internal web site or file server in another department, it went through a very tightly controlled firewall.

    This way, if a web server got compromised, the damage that could be done by "pwning" it was limited. Likewise, if one department's computers got infected, the damage was limited as well.

    Now, this isn't foolproof, but in order to compromise the back-end data servers, someone would have to know specific information about the back end data center and the firewall that protected it. Only some of that information could be gleaned if a public or internal web site or other computer was compromised. An attacker would have to be very lucky, very persistent, or bribe an IT or other high-access employee to get what he wanted.

    Or, if this were Hollywood, the attacker could just gain employment as a janitor, walk up to the door of the server room, kill the guards, blow the door open with some C4 he ordered over teh interwebs, and walk out of the building with the server, never to be seen again. But that's outside the scope of this discussion.

  • by lorenlal (164133) on Tuesday May 12, 2009 @01:53PM (#27924851)

    The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.

    And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.

    You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.

  • by geekspeak (127457) on Tuesday May 12, 2009 @03:00PM (#27925891)

    My SSN was in the 160k :-/ Just spent the last 30mins signing on to Experian to put a fraud alert on my account. Anyone understand whether this is good or not? Should I do something else? Also, I see that a freeze will cost $10. Berkeley isn't shelling out for this. It sucks, this is not my fault, some idiots left some ports open and now it's my problem and I don't see much of a concerted response from Berkeley to drive the protection from their end, they do have a website and telephone hotline but I have to do all the running around... wonderful. SSN's suck...

  • Better Off Stolen? (Score:2, Interesting)

    by mindbrane (1548037) on Tuesday May 12, 2009 @04:45PM (#27927831) Journal
    Have we arrived at a point where the average person is better off having had their identity stolen? With so much identity theft having taken place and, perhaps, a great deal of stolen identities unreported, wouldn't one be better served having had their identity stolen. Being able to establish that one's identity has been stolen may be the most expeditious defense against actions brought resulting from stolen identity. There's security in numbers, unless of course those numbers are stored on a computer.

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...