Break-In Compromises 160k Medical Records At UC Berkeley

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."

This is a huge, everyday, constant problem.

[silver007]

Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.

Time to live in secrecy

[commodore64_love]

Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.

If you don't have these accounts, you won't be vulnerable to monetary or identity theft.

Re:Duh..

[cayenne8]

This is a reason why they have to pretty much pull teeth from me, in order for me to give my SSN to any one or any entity that is not related directly to SSN monies and benefits.

I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".

The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

Who could benefit from this medical info?

[Drakkenmensch]

Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...

When will it be illegal to store/lose this data?

[odin84gk]

When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.

Re:And...

[davidwr]

I once read an article about a "right" way to secure data. Even the authors admitted it wasn't foolproof but there point was, it was a lot more secure than what most people are using.

Every externally-facing computer was on its own sub-network, mostly isolated from everything else. Web sites, ftp sites, even wireless access points. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

Portions of the "corporate" network that didn't need to see each other were partitioned.

Internal web servers were in their own partition. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

When data needed to go from one part of the network to another, say, from an external or internal web site to a data server or from an employee data to an internal web site or file server in another department, it went through a very tightly controlled firewall.

This way, if a web server got compromised, the damage that could be done by "pwning" it was limited. Likewise, if one department's computers got infected, the damage was limited as well.

Now, this isn't foolproof, but in order to compromise the back-end data servers, someone would have to know specific information about the back end data center and the firewall that protected it. Only some of that information could be gleaned if a public or internal web site or other computer was compromised. An attacker would have to be very lucky, very persistent, or bribe an IT or other high-access employee to get what he wanted.

Or, if this were Hollywood, the attacker could just gain employment as a janitor, walk up to the door of the server room, kill the guards, blow the door open with some C4 he ordered over teh interwebs, and walk out of the building with the server, never to be seen again. But that's outside the scope of this discussion.

Re:how is this interesting ?

[lorenlal]

The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.

And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.

You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.

Re:copy of the e-mail that was sent out

[geekspeak]

My SSN was in the 160k :-/ Just spent the last 30mins signing on to Experian to put a fraud alert on my account. Anyone understand whether this is good or not? Should I do something else? Also, I see that a freeze will cost $10. Berkeley isn't shelling out for this. It sucks, this is not my fault, some idiots left some ports open and now it's my problem and I don't see much of a concerted response from Berkeley to drive the protection from their end, they do have a website and telephone hotline but I have to do all the running around... wonderful. SSN's suck...

Better Off Stolen?

[mindbrane]

Have we arrived at a point where the average person is better off having had their identity stolen? With so much identity theft having taken place and, perhaps, a great deal of stolen identities unreported, wouldn't one be better served having had their identity stolen. Being able to establish that one's identity has been stolen may be the most expeditious defense against actions brought resulting from stolen identity. There's security in numbers, unless of course those numbers are stored on a computer.