Lessons from the UCLA Hack Attack

Up to 800,000 of the school's students, faculty and alumni may be vulnerable to identity theft. What went wrong, and what can be done about it?

University letters to students and alumni are usually cheerful. But the University of California at Los Angeles (UCLA) [ucla.org] is now composing 800,000 embarrassing ones. The university announced Tuesday that it's notifying nearly a million members of its community — including students, faculty and alumni — that a hacker gained access to their Social Security numbers, dates of birth, home addresses and contact information. UCLA computer security technicians noticed a suspicious number of database queries on Nov. 21, and after a quick investigation, discovered that a hacker had accessed records fraudulently all the way back to October of 2005. The university blocked further access to the private data and hired a consultant to help figure out how it happened. In a letter to those who may have been victimized, UCLA's Acting Chancellor Norman Abrams noted that the data does not include credit card or banking information, but apologized. "I deeply regret any concern or inconvenience this incident may cause you," Abrams wrote.