Universities Vulnerable to ID Thieves
Sunday, December 17, 2006; 2:13 PM
LOS ANGELES -- Universities have become attractive targets for hackers who are taking advantage of the openness of the schools' networks, their decentralized security and the personal information they keep on millions of young adults.
A major database breach at the University of California, Los Angeles that went undetected for more than a year and a smaller breach at the University of Texas are the latest examples of how vulnerable colleges are to such attacks, security experts said.
Universities account for more than 50 data breaches on a list of more than 300 so far this year as tracked by the Privacy Rights Clearinghouse. Hackers have broken into computer systems at Georgetown University, Ohio University, the University of Alaska and Western Illinois University, among others.
"They are a major category, if not the major category," Clearinghouse director Beth Givens said.
The UCLA breach was discovered Nov. 21 when the university noticed a hacker was fishing through the database specifically for names and Social Security numbers. Officials said the hacks date back to at least October 2005.
University officials say that only a small number of records containing Social Security numbers were accessed, probably less than 5 percent of the 800,000 total records. The university notified the FBI, which has launched a probe into the incident.
Hackers also might have obtained the personal information of 6,000 people who worked for, applied to or attended the University of Texas at Dallas, school officials said last week. The information includes names and Social Security numbers, the school said. In some cases, addresses, e-mail addresses and telephone numbers also might have been obtained.
In both cases, school officials stress there is no indication that any of the information has been used to obtain phony credit cards or commit identity-theft crimes.
One reason university databases make such attractive targets is that Social Security numbers are routinely used to identify students.
"It is about time that Social Security numbers receive more protection or that they no longer be used for identifying individuals within the university system," Givens said.
UCLA no longer uses Social Security numbers to identify students, according to Jim Davis, the university's chief information officer.
In addition, the school has tightened security by requiring that all computers connecting to its networks be inspected and have the latest antivirus software and other security programs installed.