Incidents, Threat Management

UC Berkeley Hacker Story

by  •  • Comments Off

I know this is old news, but I am trying to track down the difference in estimated impact numbers (600,000 or 1.4 million Californians?) so I decided I would blog my research:

Reuters, 10/19/04: Hacker Hits California University Computer
- Names, SSNs, Home Addresses, Dates of Birth of 1.4 million Californians
- Breach identified end of August; Feds notified 9/27; announcement 10/19

Securityfocus, 10/19/04: California reports massive data breach
- Hacker used known vulnerability in database software.

Daily Californian, 10/20/04: Campus Computer Hacking Spurs Federal Investigation
- same impact – 1.4 million
- breach occurred 8/1/04; breach identified 8/30/04; Feds notified 9/21/04

ABC Channel 7 KGO, 10/20/04: Hacker Breaks Into UC Berkeley Computer, Has Records Of Residents
- in which we learn that some of the records may have been duplicates.
- first debate about the implications of SB 1386 “Ramos said officials decided to disclose the breach as a precaution; he said the law doesn’t force disclosure unless it is determined a database has been downloaded. However, Hoofnagle noted that the law provides for notification if the data “is reasonably believed” to have been taken by an unauthorized person. “

AP via Grand Forks Herald 10/20/04: Hacker Breaks Into UC Berkeley Computer
- number is down to “more than 1 million state residents.”

AP via San Luis Obispo Tribune 10/21/04: Hacker cracks UC Berkeley computer with data of state residents
- finally found the smoking gun – UC Berkeley officials have modified their estimates down to 600,000 records.
- the culprit: “a visiting scholar working in the campus’ Institute of Industrial Relations”

San Francisco Chronicle 10/21/04: Hacker exposes private data at UC
Computer held personal files on 600,000 Californians
- beans spilt on culprit name: Connecticut College Associate Professor of Economics Candace Howes.

Berkeley Daily 10/23/04: Hacker Exposes UC Private Information
- how it occurred: “Officials believe the security breach was related to linking a non-UC computer and non-UC server to the campus network system without taking proper precautions against intrusion.”

Tri-Valley Herald, 10/23/04: Scholar disputes claim in hacking attack
- Candace fights back: “I sought to ensure the security of the database by consulting with the appropriate personnel from the Berkeley information technology staff,” Candace Howes wrote. “To my knowledge, Berkeley staff did what was necessary to properly install and secure the hardware to their network. Unfortunately, Berkeley’s network was criminally hacked and the computer I was using was accessed.”

How utterly gratifying all this fingerpointing is. Not.

MSNBC 10/27/04: California data leak raises questions
- back up to 1.4m and the politicians and second-guessers start weighing in. All with fairly valid points, I think.

[no mention since 10/29/04... maybe this means the story had legs for about 9 days... we'll see.]