Break-In Compromises 160k Medical Records At UC Berkeley 167
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
This is a huge, everyday, constant problem. (Score:5, Interesting)
Time to live in secrecy (Score:3, Interesting)
Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.
If you don't have these accounts, you won't be vulnerable to monetary or identity theft.
Re:Duh.. (Score:5, Interesting)
I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".
The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.
Who could benefit from this medical info? (Score:5, Interesting)
When will it be illegal to store/lose this data? (Score:4, Interesting)
Re:And... (Score:2, Interesting)
I once read an article about a "right" way to secure data. Even the authors admitted it wasn't foolproof but there point was, it was a lot more secure than what most people are using.
Every externally-facing computer was on its own sub-network, mostly isolated from everything else. Web sites, ftp sites, even wireless access points. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.
Portions of the "corporate" network that didn't need to see each other were partitioned.
Internal web servers were in their own partition. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.
When data needed to go from one part of the network to another, say, from an external or internal web site to a data server or from an employee data to an internal web site or file server in another department, it went through a very tightly controlled firewall.
This way, if a web server got compromised, the damage that could be done by "pwning" it was limited. Likewise, if one department's computers got infected, the damage was limited as well.
Now, this isn't foolproof, but in order to compromise the back-end data servers, someone would have to know specific information about the back end data center and the firewall that protected it. Only some of that information could be gleaned if a public or internal web site or other computer was compromised. An attacker would have to be very lucky, very persistent, or bribe an IT or other high-access employee to get what he wanted.
Or, if this were Hollywood, the attacker could just gain employment as a janitor, walk up to the door of the server room, kill the guards, blow the door open with some C4 he ordered over teh interwebs, and walk out of the building with the server, never to be seen again. But that's outside the scope of this discussion.
Re:how is this interesting ? (Score:5, Interesting)
The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.
And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.
You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.
Re:copy of the e-mail that was sent out (Score:2, Interesting)
My SSN was in the 160k :-/ Just spent the last 30mins signing on to Experian to put a fraud alert on my account. Anyone understand whether this is good or not? Should I do something else? Also, I see that a freeze will cost $10. Berkeley isn't shelling out for this. It sucks, this is not my fault, some idiots left some ports open and now it's my problem and I don't see much of a concerted response from Berkeley to drive the protection from their end, they do have a website and telephone hotline but I have to do all the running around... wonderful. SSN's suck...
Better Off Stolen? (Score:2, Interesting)