Break-In Compromises 160k Medical Records At UC Berkeley 167
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
Duh.. (Score:3, Insightful)
Re: (Score:2)
The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server.
OK, What moron keeps sensitive databases on a public web server?
Re:Duh.. (Score:4, Funny)
Re: (Score:2)
I'm a computer science major at Berkeley and I can attest that, outside of the EECS department, things run on pretty much the same software as at any university. I don't know about server software specifically, but all the administrative computers I've seen run Windows or are Macs.
Inside the EECS department, though, you can see the Unix-centric heritage. It's like a little software enclave—it's got its own class account system with email and newsgroups, no doubt dating back to when it was the only dep
Re: (Score:2)
Re:Duh.. (Score:5, Interesting)
I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".
The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.
Re:Duh.. (Score:5, Informative)
The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.
It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn.
Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of touch with reality.
This is true of any of the places that are not authorized by law to require your ssn. So same applies to the others that are often brought up, such as utilities, and pretty much always applies to calculation of a deposit or interest rate.
Re: (Score:2)
Re: (Score:2)
Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit.
FWIW, I was able to get verizon fios installed without a SSN or a security deposit or any kind of automated payment setup either. To make things even "weirder" looking - I use a private mailbox for all billing so my installation address didn't even match my billing address.
Comcast, on the other hand, wanted an SSN. Since Verizon didn't I just went with them instead of pushing back on Comcast. So I can't say how easy it might be to change Comcast's mind.
Auditing Logs (Score:5, Insightful)
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
Re: (Score:2)
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
This is a bit of a dilemma, if the systems administrator and the hacker are one in the same person.
Re: (Score:3, Insightful)
That's only reserved for a select few sites.
Odd behavior is sometimes hard to distinguish from normal behavior, so you can't get everything. And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns because the deed may be over at the time the analysis has finished.
And then - many systems today lacks necessary logs and may even lack logs completely. That's all too common in those cost-pressed projects. Even if there is a log it's often incomprehensible unless
Re: (Score:2)
And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns
We have these things called computers, you know...
Re:Auditing Logs (Score:5, Insightful)
Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.
I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.
Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.
The old saying "don't fix it, if it ain't broke" runs many IT Depts.
Re: (Score:3, Informative)
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
A lot of that is left up to parsing scripts, interns, or just ignored. Plus, "Odd" is relative. If one of your people is overseas in China, and his VPN account logs in from China IPs at odd times of the day, it could be normal. Until it logs in twice at the same time or after he comes home, you won't notice.
Re: (Score:2)
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
Nah, there's an iPhone app for that.
Brutal (Score:5, Insightful)
This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.
This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.
Re: (Score:2, Insightful)
how is this interesting ? (Score:2)
I totally agree
"This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely"
Look, all it takes is to implement systems that are as secure as possible
Re:how is this interesting ? (Score:5, Interesting)
The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.
And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.
You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.
blame the users .. :) (Score:2)
Re: (Score:2, Funny)
Re: (Score:2)
But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?
Assuming that it _must_ be an either-or scenario, I'd rather have my medical history on port 80 open to the world. Sure, there'd be some (a lot of) abuses, but at least my doctors would know my medical history in an emergency or in case I get some long-term condition.
Re: (Score:2)
And I'd rather have mine not on port 80 at all. It should be at least port 443, and better yet, on some seriously secured interface where accessing that data requires some sort of transaction ID, and pre-auth with the data holder.
Furthermore - In that scenario, if I was in an emergency, I'd rather have the freaking hospital *call* the my doctor's office directly to make sure my "history" is correct.
Has anyone ever wondered how people are supposed to verify the accuracy of these records?
Re: (Score:2)
Furthermore - In that scenario, if I was in an emergency, I'd rather have the freaking hospital *call* the my doctor's office directly to make sure my "history" is correct.
Right, because your doctor's office is open at 2am when you arrive at the emergency room. And I am sure you've found a way to make sure that, even in an extreme medical emergency, you will be able to stay alive without treatment for an extra 30 minutes while you're waiting for your doctor to get paged and call the ER docs back about y
Re: (Score:2)
Excellent counterpoint regarding a closed doctor's office. Here are my rebuttals:
1) Pertinent information in your medical history that would likely pop up would probably also be located in your local hospital. In fact, drug interactions and common procedure allergies will normally be discovered in the 24 hour hospital. Besides, doctors have to provide copies of what happens when you visit a practice to the local hospital and/or insurer anyway. It's part of the great medical (verifiable) paper trail.
2) I
Re: (Score:2)
This is absolutely wrong -- your insurance company, yes (but usually only procedures and diagnosis, not allergy's, etc), but local hospital -- absolutely not.
2) In the hospital, when you're suffering from your emergency that'll kill you in 30 minutes, chances are they won't even have time to hunt down your electronic recor
Re: (Score:2)
Valid points, all. I think this is not really an argument about technology, but about whether the risks of EMR outweigh its benefits -- and that is largely subjective.
Per your four points:
Re: (Score:3, Insightful)
But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?
Stand the problem on its ear: what if this information were worthless to credit thieves? What if this information simply was no longer able to wreck someone's life?
What we should do instead is make the paradigm of "name, address, SSN, etc.", valueless. Figure out a way to issue credit that wasn't strictly information based. One way would be to make the banks stop issuing credit by mail. If you physically had to walk into a secure building, and present credentials to someone trained to review them, c
Re: (Score:2)
You sir, are addressing this from a much better angle. The biggest reason EMRs are so valuable is because of the non-health information kept with them.
I personally don't care if the entire world knows I had knee surgery. In cases where someone had heart surgery, it's likely that they don't want a life insurer or health insurer to know... but they'll know anyway since that's their business. AFAIC - If our EMRs are not valuable to anyone outside the health industry, then I have no problem with them being p
Re: (Score:2)
Public key cryptography would solve the problem. You could give your public key to anyone without worry they could use it to impersonate you. Well, unless they are able to calculate the private key from the public key, but from what I understand this is currently impractical for even the NSA if you use a decent key size. Maybe quantum computing or advances in mathmatics may change the situation, but we will have to just find something else at that point.
We could've had a public key system in place nearly
Re: (Score:2)
That's kind of what happens today, but the mess it leaves behind for the abused individual is still pretty heavy, and the bank doesn't really care what happens to them. Plus, in some cases the individual might have a dozen accounts to clean up.
Making credit harder to physically obtain would certainly place some additional burdens on all the customers, and would definitely reduce the number of cards issued. But in this debt-heavy economy, I have to ask if that would even be a bad thing?
Re: (Score:2)
Part of me wants this to happen now. There's no technological reason this stuff can't be reasonably secured. It is pure rampant stupidity. Computer security practices today are comparable to security guards leaving the back door unlocked so they can take a smoke break and get back in. The only thing that will fix this stuff is constant rampant security violations.
Worst-case, people just come to accept it and privacy dies. I guess that is quite a price to pay...
Re: (Score:2)
Missing my medical history. I don't care if someone steals my "credit." Identity theft is blaming the 3rd party victim for a bank's insecure practices. I
Re: (Score:2)
Agreed with the credit-fraud assessment. But I think we both know how quickly the feds will require that the banks and creditors clean up their acts...
This is a huge, everyday, constant problem. (Score:5, Interesting)
Re: (Score:3, Insightful)
Maybe we should stop making SSNs the end all be all of who we are.
Re: (Score:2)
Or we should quit using an identifier as a password.
Old Story (Score:5, Informative)
http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/ [wired.com]
The email informing students of the breach was sent on May 8th. It was all over the news last Friday.
Re: (Score:2, Informative)
Re: (Score:3, Informative)
Here is the text of the email that was send out to the Berkeley community.
Re: (Score:2)
> Slashdot editors posting stories that are days old? Never!
Evidently, this is the exception that proves the rule.
Normally, they wait until a story is a month or two old, but someone screwed up and posted it before its time.
Re: (Score:2)
> Slashdot editors posting stories that are days old? Never!
Evidently, this is the exception that proves the rule.
Normally, they wait until a story is a month or two old, but someone screwed up and posted it before its time.
Don't worry, someone will post a dupe of it about the time it's due.
Time to live in secrecy (Score:3, Interesting)
Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.
If you don't have these accounts, you won't be vulnerable to monetary or identity theft.
Re: (Score:2, Insightful)
Re: (Score:2)
Technically you don't need a drivers license. You don't need permission to use the People's roads now, anymore than you needed permission one hundred years ago when you had a horse-and-carriage. Just because you sold the horse and switched to a Model T doesn't mean you lose the inalienable right to travel.
As for the proof of citizenship, an SSI card with birth certificate serves that purpose.
And... (Score:2, Insightful)
Re: (Score:2, Informative)
Re: (Score:2, Insightful)
Re: (Score:2, Interesting)
I once read an article about a "right" way to secure data. Even the authors admitted it wasn't foolproof but there point was, it was a lot more secure than what most people are using.
Every externally-facing computer was on its own sub-network, mostly isolated from everything else. Web sites, ftp sites, even wireless access points. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.
Portions of the "corpor
Sometimes you need an air gap (Score:5, Insightful)
It's not just military-grade information that needs protecting.
If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.
With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.
For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.
Re: (Score:3, Insightful)
So when you go to the emergency room, how is the hospital supposed to query your electronic medical records at your family doctor when it's behind an air gap?
Maybe they aren't. Re:Sometimes you nee (Score:2, Insightful)
If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.
Ho
Re: (Score:2)
"Gatekeeper" would be a far better term, IMO.
And for that matter, what you suggest is already used in meatspace... if you want to access public records, typically you need to go through a "custodian of records" or some such... this person helps ensure the validity of requests.
The problem with requiring a live person to act as a gatekeeper on digitally stored records is that in doing so, we lose a lot of
'computers' hacked .. (Score:2)
Re: (Score:2)
Re: (Score:2)
This was the University of California at Berkeley. The only OS they are permitted to run is the one they developed in-house: BSD, of course.
They were running BSD, weren't they? Why the hell would they want to run anything else if they had concerns about security?
Re: (Score:2)
Because sometimes they want to run prepackaged software on an operating system which is supported by the vendor?
Break-in free zone signs (Score:5, Funny)
The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.
Re: (Score:2)
If you detonate a nuclear bomb in Berkeley, you could be fined up to $500 and go to jail for thirty whole days.
No, I am not kidding [berkeley.ca.us].
Re: (Score:2)
Actually, I believe it's just "nuclear free zone", reflecting a ban on both nuclear weapons and nuclear power.
I heard a chemistry professor suggest that this means that the atoms there weren't allowed to have nuclei. My theory is that everyone who lives there is a prokaryote.
Actually, the nuclear free zone goes great with those "Drug Free Zone" signs [stopdrugs.org] you sometimes see. No joking, there's actually one on Telegraph Avenue. Of course, the standard interpretation is "Free Drug Zone". Perhaps the maintenance guy
Why is this news? (Score:2)
160,000 students records compromised (Score:2)
Re: (Score:2)
Who could benefit from this medical info? (Score:5, Interesting)
Re: (Score:2, Informative)
Re: (Score:2)
mysteriously refused insurance coverage
It's unlikely that the insurance companies would act directly, after all, they'd be in really deep shit if they were found to be in possession of this data, and such an act would be too much of a coincidence to write off, especially after the first two or three Berkley students get rejected.
No, mid-to-large size corporations are the ones that'll use this. They'll be the ones that can afford a few bucks for "candidate screening" and since their employment decisions are
Insurance companies can already do this. (Score:2)
The federal government has already granted insurance companies carte blanch to your medical records. The fact this is sanctioned by the government is corrupt and despicable, nonetheless no criminal element can harm you more than these insurance companies can, so this "theft" is a non-event.
Meanwhile, i'll continue to be denied all coverage because of crohns disease, which is not related to lifestyle, while people with obesity related diabetes and hypertension continue to readily receive it.
When will it be illegal to store/lose this data? (Score:4, Interesting)
Re: (Score:2)
Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
Unfortunately, there is (and can be) no such proof. It's a part of the fundamentals of security: you can't prove a negative.
The way I see it, we really have three choices for protecting data:
Re: (Score:2)
A fourth would be separation of data onto different databases on different servers. If social security numbers are not needed, have those stored in a smaller armored database that doesn't connect to the Web. Instead, use another number.
This way, if an application needs information, it can grab what it needs, but no more.
Re: (Score:2)
Some states like California do punish companies who have a security breach involving Credit Card numbers and SSNs.
2.) make it illegal to store a social security number/credit card number?
If credit card numbers are hosted by your company, the company is probably subject to the rules established by the PCI Security Standards Council (See https://www.pcisecuritystandards.org/ [pcisecuritystandards.org] ). If your business does not comply, the Payment Card Industry will now allow you to process financial transactions, or they will limit
Re: (Score:2)
It already is. California has a law (SB 1386) that has been in effect since 2003 concerning the responsibility of companies and government agencies to keep their databases secure and to publicly report any breach of confidential personal information within 30 days of the incident.
Full text of the bill is here: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html [ca.gov]
There are no fines imposed, but the public humiliation of having to admit that they lost data can cost a co
Re: (Score:2)
It is already illegal, because this was medical data. For allowing this data to escape, UCB is subject to civil monetary penalties under HIPAA. These penalties go at $100 per violation, which means they'd theoretically owe $16,000,000. Unfortunately, the penalty is capped at $25,000 per year, so it's going to be a drop in the bucket.
Now, if the data was compromised knowingly by an employee of the University, then that employee as well as the university would be subject to criminal fines of up to $250,000 an
Re: (Score:2)
[M]y solution: The Social Security Administration announces that on July 1st, 2010, all SSNs and the names they are associated with will be published and available to everyone. Leave it up to the finance and health care industries to stop using SSNs as authentication.
I love this solution! The Social Security Administration always said the number was not to be used for identification. This would prove they meant it.
Credit suffers from the same problem, by the way. We use the account number as the account to charge as well as the authorization to charge. If we used a different value for authorizing (such as one generated on a smart credit card) there would be no need to protect account numbers, other than simple privacy.
privacy? what privacy? (Score:5, Funny)
So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.
I wish that were funny.
Re: (Score:2)
If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.
Well, now you're just being redundant :P.
Better Off Stolen? (Score:2, Interesting)
why not get rid of em (Score:2)
how long will it be before we can stop relying on something as easy to get as a social security number as a unique identifier?
It's not at risk (Score:2)
It was at risk before before it was infiltrated. Now the loss has been guaranteed.
Probably not overseas criminals... (Score:2)
Re: (Score:3, Insightful)
Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?
(bad) Hacker may be an appropriate term. Just as there are probably (good) hackers probably trying to figure out who did this.
Re: (Score:2)
Depends on which online use-spam-to-encrypt-messages-service you used, like www.spammimic.com.
Re:Hackers or Crackers? (Score:4, Funny)
Just because they're on the internet doesn't mean they're white.
Re:Hackers or Crackers? (Score:5, Insightful)
If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...
Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
</feeding the troll>
Re: (Score:2)
Smart a_n_d unliked? How foolish.
CC.
Re: (Score:2)
Man if only they were using OpenBSD... That would've been so... much.... ummm....
Re: (Score:2)
Were the databases Microsoft-based?
oh classic, modded as flamebait for asking a legit question which might give some insight into the actual security situation.
You might quit while you're ahead, err, behind. I've got Karma to burn though, so I'll quote you to see if anyone knows. It's my experience that medical researchers prefer Windows machines and access databases since they use Microsoft in hospital settings. Anyone else got more insight on the preferences of the Berkeley folk?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
First off, I NEVER said all H-1b workers are criminals. I said it is impossible to do a background check on workers from India-or other similarly corrupt countries.
Every US worker could be replaced by workers from India or China at less than 25% of current costs. Does that mean they should be?
We will never see more US workers going into technical professions as long as those occupations are provided immigration preferences at no cost to the employers-and there thus will be little incentive to improve the US
Re: (Score:2)
First off, I NEVER said all H-1b workers are criminals. I said it is impossible to do a background check on workers from India-or other similarly corrupt countries.
No. What you said is:
The management of UC Berkeley should be investigated for criminal negligence.
Now tell me this: why UC Berkeley should be held responsible for something EVENTUALLY the federal government should have done? Or better: should UC Berkeley completely give up in immigrants and rely on subpar American educated professional? Or again: Should UC Berkeley have better security to monitor everybody (Americans and not) within itself to prevent this to happen? Or is it just easier to blame the "undocumented foreigners" (here in the sense of people without background checks...
Re: (Score:2)
The area in which there was potential negligence was allowing any workers on which a good background check cannot be done to manage data that is highly confidential. There is a contradiction between US Hippa regulations on the management of confidential information and US regulations that tend to discourage background checks. I think this sort of thing happened much less regularly when background checks were more a fact of life in the US for any management of sensitive data in government institutions(that h
Re: (Score:2)
"It's a shame that our people don't want higher educations to work in a high-tech field. Many of the people who I know that didn't attend college work in the Oil Patch, choosing short term returns over education."
If you are starting out in India or Pakistan, there is a huge incentive to get Canadian or US citizenship. If someone already had citizenship rights, the additional payoff from getting a technical education is minimal. The way Singapore handles this:
a company can get all the foreign workers they wa
Re: (Score:2)
I think if you look, the economic protections for unskilled workers are considerably greater in Japan, Singapore, South Korea-and those are all highly competitive economies without a trade deficit or massive government borrowing-and they don't have the huge resource base the US has.
The folks in the US that are most highly paid relative to world standards and US median income are corporate executives, some folks in protected professions(Japan has a tiny fraction of the attorneys the US has) and some occupati
Re: (Score:2, Informative)
Are you serious? They're not trying to save a few bucks on the support staff -- that's what students are for. They have a large number of international employees because they hire researchers, lecturers, and professors from overseas to promote the exchange of ideas across cultures. Since that is, you know, the entire point of a university.
It is you that should be investigated for criminal dipshittery.
Re: (Score:2)
It is certai
Re: (Score:2)
Do you really want to say there is no connection between recruiting technical workers upon whom no effective background check can be done and security breaches?
I think the question should at least be examined closely. Enron BTW made some rather strange investments in India-and was an H-1b [intellectu...vative.com] intensive shop.
Noone has done a comprehensive analysis here-in part because the companies that bought H-1b legislation have specifically made reporting standards inadequate for such an analysis.
I don't think most H-1b wor
Re: (Score:2, Interesting)
My SSN was in the 160k :-/ Just spent the last 30mins signing on to Experian to put a fraud alert on my account. Anyone understand whether this is good or not? Should I do something else? Also, I see that a freeze will cost $10. Berkeley isn't shelling out for this. It sucks, this is not my fault, some idiots left some ports open and now it's my problem and I don't see much of a concerted response from Berkeley to drive the protection from their end, they do have a website and telephone hotline but I have t
Re: (Score:2)
Start looking for a class action suit now. It's gross negligence to store this information on an internet-connected machine, which is indeed what happened here. (Split the database and front end, fools. At least that raises the bar slightly.)