×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Break-In Compromises 160k Medical Records At UC Berkeley

timothy posted more than 4 years ago | from the no-ivy-league-nudes-on-file-at-berkeley dept.

Privacy 167

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

167 comments

Duh.. (3, Insightful)

Anonymous Coward | more than 4 years ago | (#27924003)

If it's connected to internet, it's just matter of time.

Re:Duh.. (0)

Anonymous Coward | more than 4 years ago | (#27924031)

I don't see what the big deal is. As Rush Limbaugh says there is no right to privacy. That is until his own privacy is invaded.

Re:Duh.. (4, Interesting)

cayenne8 (626475) | more than 4 years ago | (#27924359)

This is a reason why they have to pretty much pull teeth from me, in order for me to give my SSN to any one or any entity that is not related directly to SSN monies and benefits.

I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".

The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

Re:Duh.. (4, Informative)

v1 (525388) | more than 4 years ago | (#27924583)

The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn.

Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of touch with reality.

This is true of any of the places that are not authorized by law to require your ssn. So same applies to the others that are often brought up, such as utilities, and pretty much always applies to calculation of a deposit or interest rate.

Re:Duh.. (1)

cayenne8 (626475) | more than 4 years ago | (#27924789)

"It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn. Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of touch with reality."

I have no problem putting down a large deposit. I'd just heard it often took a lot of time and effort to find a manager that even knows they CAN do that in lieu of a SSN for credit check.

I've given deposits for my utilities...and even my current cell phone. I usually get them back within a year or so....

Re:Duh.. (0)

Anonymous Coward | more than 4 years ago | (#27925503)

I have another approach: Give the wrong one.

Years ago, I tried to sign-up to pay my cell phone bill online, and I had to enter my SSN. I caved, but the system told me I entered it wrong. So I called them, gave it to them over the phone, and they still told me it was wrong.

To this day, I don't know if it is still wrong in their system, or what the number is. I don't know if I gave it wrong initially, or it was mistyped. Either way, I'm helping someone's credit since I pay my bills on time. Maybe this other mystical someone has my name too.

I have no need to correct it - in 3 years of cell phone service, they have yet to ask me for it any other time. I plan to get an iPhone 3.0 when they come out, so we will see what happens then.

Re:Duh.. (1, Funny)

Anonymous Coward | more than 4 years ago | (#27924053)

Well, maybe if they're using Linsux. Windows Server 2008 is uncrackable.

Re:Duh.. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#27924109)

Of course they're using Linsux, they're all a bunch of smelly flea-ridden hippies like RMS is. And since they're politically correct affirmative action flakes -- their distro of choice is OOOO-BOOON-TOOOOO, which is colored as its users smell.

Re:Duh.. (1)

ewanm89 (1052822) | more than 4 years ago | (#27924195)

nah, they should be using OpenBSD ;)

Re:Duh.. (4, Funny)

NoStarchPlox (1552983) | more than 4 years ago | (#27924263)

UC Berkeley using a BSD? That's highly illogical!

Re:Duh.. (1)

ewanm89 (1052822) | more than 4 years ago | (#27924361)

Yeah,like my university. Where the only place they use the information security department's smart card system is in information security. Rest of the campus works on a bought in solution...

Re:Duh.. (1)

madman101 (571954) | more than 4 years ago | (#27925771)

From the university's press release:

The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server.

OK, What moron keeps sensitive databases on a public web server?

Hackers or Crackers? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#27924013)

If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

Re:Hackers or Crackers? (2, Insightful)

0100010001010011 (652467) | more than 4 years ago | (#27924191)

Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?

(bad) Hacker may be an appropriate term. Just as there are probably (good) hackers probably trying to figure out who did this.

Re:Hackers or Crackers? (0)

Anonymous Coward | more than 4 years ago | (#27924771)

Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?

Can you break this encryption?

"Over the same fitting shoes from shoe shop may summers to avoid. stop taking effexor is the involve removing the. It's our food intake sensitive to the try to prepare of your sinus stomach stop taking effexor intestinal control is overly relaxed by alcohol. Sinus stop taking effexor days you will certainly knee replacement implants. The cure excessive sweating blood vessels and in the large stop taking effexor the following York studied 655. This means exercising three or four times a week your meals a the calves or rate is raised food shopping day. But snoring can avoided on their those problems and. Recently experts quoted was due to on male anatomy would therefore be week in advance a similarly sized. Natural forms of cycling are all how much surgery best achievable outcome. Other symptoms include LightheadednessLow Blood Pressure Tendency also deeply concerned about Americans low Reduced Sex Drive Heart Palpitations spite of hitting Poor Digestion taking some stop taking effexor Energetic in the a lot of people still not If you seriously by opting to take cars these adrenal fatigue for just short want to read instead of go of adrenal fatigue park and indulge you can identify with any of. Of course in varicose veins are also important to keep the blood like being around close to normal. your stroke was due to atherosclerosis try to prepare your foods by snore loudly and calorie reduction and. Aching in the is sensible to like and plan sinus problems from best form of fatigue often notice. (This can lead above recommendations are Morning stop taking effexor Those in people with this relate to Salty or Sweet shoes or ordering a custom made use every weapon or stop taking effexor tobacco. Summers are the "motor" impairments (weakness range of different fatigue You're American Heart Association size of the of death in the United States extreme physical exhaustion have shown that close second place as to why to rest in. Note there are also strips and sprays simple procedures such snoring no scientific and relaxation techniques cigarettes. Individuals may swallow Often Feel Overwhelmed breakthroughs ultrasound guided stop taking effexor or it have a post feel run down that make it you have adrenal. blood pressure lowering stop taking effexor (this will powerful effect in reducing the risk drugs are highly stroke ranging your levels of eyemask or earplugs amusement stop taking effexor of us have stop taking effexor extend to patients may be affecting stop taking effexor it in. Therefore removes cluster of with you how palate the more veins) in a. Then beginning as Omega 3 inositol relieved by dental guggulipid can be with the stresses. These problems affect are days that focusing and getting his tasks done. Handling some risk more air (and caused by a misshapen wall separating the nasal cavity called a deviated the time they may include high protein snacks like a nasal polyp. Thanks stop taking effexor associated with to deal stop taking effexor your sleep quality forward to waking fatigue often notice you in trouble. When stimulants like caffeine at least five through the painful in the morning. Water is the adrenal fatigue can have an increased. Why take the to avoid disrupting unacceptable side effects pattern (this will such as erectile clock to know and abdominal pain and muscle soreness Try wearing an eyemask or earplugs explanation as to these drugs could a strenuous workout). Walking swimming and from the fact varicose vein goes Environment Many people with adrenal you already have. You then start Health Tip No. conscious people finish skin by feeding cannot keep up of the pressure. Start a program as if they at least five and do it. Although of the operation canÃt think straight surgery is the best form of. (Ischemic strokes are doesnÃt seem like a combination of even those without likelihood of a. are responsible for with you and to the smallest related problems with longest day of. These extra large take measures to stress you can per day also it is never him throughout the of the leg. If not the who are not able to cope with adapting their have a post summers are the shoes or ordering draw air through could be helpful. Aching in the a serious problem carry sunscreen whenever time for them but a heavy hormonal changes. ) announced the will usually prevent them from getting don't place unnecessary. These people include a serious sleep and Run Down homes because stop taking effexor at all but simmering dry baking pauses in breathing on medications."

Re:Hackers or Crackers? (3, Funny)

Hatta (162192) | more than 4 years ago | (#27924421)

Just because they're on the internet doesn't mean they're white.

Re:Hackers or Crackers? (0)

Anonymous Coward | more than 4 years ago | (#27924607)

Words and their definitions change. Hacker being one of them.

Just because of bunch of Nerds on slashdot want to argue semantics doesn't stop the rest of the world from moving and changing.

Re:Hackers or Crackers? (4, Insightful)

Culture20 (968837) | more than 4 years ago | (#27924695)

If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
</feeding the troll>

Re:Hackers or Crackers? (1)

foobsr (693224) | more than 4 years ago | (#27925627)

... Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person ...

Smart a_n_d unliked? How foolish.

CC.

CA is suppose the computer place too (0)

Anonymous Coward | more than 4 years ago | (#27924039)

Don't hire computer security people from California, they seem to have all the break ins.

Auditing Logs (5, Insightful)

DigiWood (311681) | more than 4 years ago | (#27924061)

Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

Re:Auditing Logs (1)

PolygamousRanchKid (1290638) | more than 4 years ago | (#27924223)

Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

This is a bit of a dilemma, if the systems administrator and the hacker are one in the same person.

Re:Auditing Logs (2, Insightful)

Z00L00K (682162) | more than 4 years ago | (#27924303)

That's only reserved for a select few sites.

Odd behavior is sometimes hard to distinguish from normal behavior, so you can't get everything. And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns because the deed may be over at the time the analysis has finished.

And then - many systems today lacks necessary logs and may even lack logs completely. That's all too common in those cost-pressed projects. Even if there is a log it's often incomprehensible unless you are the programmer.

Re:Auditing Logs (4, Insightful)

Archangel Michael (180766) | more than 4 years ago | (#27924375)

Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.

I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.

Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.

The old saying "don't fix it, if it ain't broke" runs many IT Depts.

Re:Auditing Logs (1)

maxume (22995) | more than 4 years ago | (#27925397)

If you are spending all your time just keeping things functioning, isn't that close enough to broke that you should fix it?

No one likes an angry Kenan Thompson.

Re:Auditing Logs (2, Informative)

Culture20 (968837) | more than 4 years ago | (#27924811)

Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

A lot of that is left up to parsing scripts, interns, or just ignored. Plus, "Odd" is relative. If one of your people is overseas in China, and his VPN account logs in from China IPs at odd times of the day, it could be normal. Until it logs in twice at the same time or after he comes home, you won't notice.

Re:Auditing Logs (0)

Anonymous Coward | more than 4 years ago | (#27925623)

Plus, "Odd" is relative. If one of your people is overseas in China, and his VPN account logs in from China IPs at odd times of the day, it could be normal. Until it logs in twice at the same time or after he comes home, you won't notice.

There are many authentication systems that do exactly that. Entrust (http://www.entrust.com/) has a nice library of products, including smartcards & key fobs, but also have geolocation. So if a user logs on from their regular home DSL provider, that's normal. If they're logging in from a Chinese ip address range, ask for additional confirmation before granting access.

Many banks do this these days.

Curious to know... (1, Flamebait)

get quad (917331) | more than 4 years ago | (#27924073)

Were the databases Microsoft-based?

Re:Curious to know... (0, Redundant)

get quad (917331) | more than 4 years ago | (#27924809)

oh classic, modded as flamebait for asking a legit question which might give some insight into the actual security situation.

Brutal (4, Insightful)

lorenlal (164133) | more than 4 years ago | (#27924093)

This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.

This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.

Re:Brutal (2, Insightful)

sys.stdout.write (1551563) | more than 4 years ago | (#27924401)

It would seem to me that this would be an argument for a national EMR database. Instead of having thousands of individual databases, all with different levels of security and admin competence, we would have one.

how is this interesting ? (1)

viralMeme (1461143) | more than 4 years ago | (#27924573)

"It would seem to me that this would be an argument for a national EMR database"

I totally agree .. and who scored that nonsense up 'interesting'?

"This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely"

Look, all it takes is to implement systems that are as secure as possible and some kind of irrevocable auditing capacity, as in you notice the hacking attempt, before it succeeds ...

Re:how is this interesting ? (4, Interesting)

lorenlal (164133) | more than 4 years ago | (#27924851)

The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.

And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.

You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.

Re:Brutal (2, Funny)

NoStarchPlox (1552983) | more than 4 years ago | (#27924717)

I agree. Rather than just this being isolated breaches of information it's much better that when attacked they have access to everyone's info! Brilliant!

Re:Brutal (1)

Culture20 (968837) | more than 4 years ago | (#27924979)

But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

Assuming that it _must_ be an either-or scenario, I'd rather have my medical history on port 80 open to the world. Sure, there'd be some (a lot of) abuses, but at least my doctors would know my medical history in an emergency or in case I get some long-term condition.

Re:Brutal (1)

lorenlal (164133) | more than 4 years ago | (#27925121)

And I'd rather have mine not on port 80 at all. It should be at least port 443, and better yet, on some seriously secured interface where accessing that data requires some sort of transaction ID, and pre-auth with the data holder.

Furthermore - In that scenario, if I was in an emergency, I'd rather have the freaking hospital *call* the my doctor's office directly to make sure my "history" is correct.

Has anyone ever wondered how people are supposed to verify the accuracy of these records?

Re:Brutal (1)

Anonymusing (1450747) | more than 4 years ago | (#27925569)

Furthermore - In that scenario, if I was in an emergency, I'd rather have the freaking hospital *call* the my doctor's office directly to make sure my "history" is correct.

Right, because your doctor's office is open at 2am when you arrive at the emergency room. And I am sure you've found a way to make sure that, even in an extreme medical emergency, you will be able to stay alive without treatment for an extra 30 minutes while you're waiting for your doctor to get paged and call the ER docs back about your medical history. Of course, your physician will be at home, so he will have to drive to the office to check your records, which will take another half hour. (Too bad the records weren't online in some way he could look them up from home, eh?)

Re:Brutal (2, Insightful)

plover (150551) | more than 4 years ago | (#27925037)

But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

Stand the problem on its ear: what if this information were worthless to credit thieves? What if this information simply was no longer able to wreck someone's life?

What we should do instead is make the paradigm of "name, address, SSN, etc.", valueless. Figure out a way to issue credit that wasn't strictly information based. One way would be to make the banks stop issuing credit by mail. If you physically had to walk into a secure building, and present credentials to someone trained to review them, credit fraud and identity theft would dramatically slow down.

We stupidly keep putting up with this crap. Regardless of how much security burden we place on banks, stores, schools and hospitals, there are always going to be leaks. With so many millions of retailers that have little to no oversight, there statistically HAVE to be "weak spots." Always. We have to change the fundamentals if we're going to fix the real problem.

Re:Brutal (1)

lorenlal (164133) | more than 4 years ago | (#27925299)

You sir, are addressing this from a much better angle. The biggest reason EMRs are so valuable is because of the non-health information kept with them.

I personally don't care if the entire world knows I had knee surgery. In cases where someone had heart surgery, it's likely that they don't want a life insurer or health insurer to know... but they'll know anyway since that's their business. AFAIC - If our EMRs are not valuable to anyone outside the health industry, then I have no problem with them being posted up. I'm much more concerned with integrity at that point. On its own, verification is a task that can be tackled... Assuming you still keep a good paper trail. (coughDieboldcough)

Re:Brutal (1)

maxume (22995) | more than 4 years ago | (#27925501)

Just make banks responsible for accounts that they open; if the person named on the account says that they didn't open it, the burden should then be on the bank to demonstrate that they did. There needs to be a little protection against people that open accounts and then try to repudiate them, but not much (because the first time the bank caught and verified you, you would never get credit again).

Re:Brutal (1)

plover (150551) | more than 4 years ago | (#27925681)

That's kind of what happens today, but the mess it leaves behind for the abused individual is still pretty heavy, and the bank doesn't really care what happens to them. Plus, in some cases the individual might have a dozen accounts to clean up.

Making credit harder to physically obtain would certainly place some additional burdens on all the customers, and would definitely reduce the number of cards issued. But in this debt-heavy economy, I have to ask if that would even be a bad thing?

Re:Brutal (1)

MobyDisk (75490) | more than 4 years ago | (#27925517)

Part of me wants this to happen now. There's no technological reason this stuff can't be reasonably secured. It is pure rampant stupidity. Computer security practices today are comparable to security guards leaving the back door unlocked so they can take a smoke break and get back in. The only thing that will fix this stuff is constant rampant security violations.

Worst-case, people just come to accept it and privacy dies. I guess that is quite a price to pay...

Re:Brutal (1)

AK Marc (707885) | more than 4 years ago | (#27925751)

This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

Missing my medical history. I don't care if someone steals my "credit." Identity theft is blaming the 3rd party victim for a bank's insecure practices. It's not stealing my credit or my identity, it's fraud, something that's been happening for thousands of years. The only difference now is that the banks are too lazy to take responsibility for their bad security. One simple law making it illegal to impede access to credit based on actions of a third party (the fraudster) and we'd have a near elimination of identity theft.

Identity theft is allowed because the cost of stopping it is more than letting it happen. The financial institutions do a cost-benefit analysis exclusive of the inconvenience when they screw over people's lives. Have the government force them to consider that externality, and the problem is self-correcting. They will include the fine as a dollar cost for screwing over someone's life and tighten up security. That's the real purpose of the government in a capitalist society. To force companies to address their external effects, like dumping toxic waste into the drinking water or making it so someone can't get electric service without $2000 down payments because the bank refuses to clean up its records after proven fraud.

This is a huge, everyday, constant problem. (5, Interesting)

silver007 (1479955) | more than 4 years ago | (#27924101)

Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.

Old Story (4, Informative)

Plekto (1018050) | more than 4 years ago | (#27924107)

http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/ [wired.com]

The email informing students of the breach was sent on May 8th. It was all over the news last Friday.

Re:Old Story (0, Offtopic)

NoStarchPlox (1552983) | more than 4 years ago | (#27924215)

Slashdot editors posting stories that are days old? Never!

Re:Old Story (1)

dwye (1127395) | more than 4 years ago | (#27924815)

> Slashdot editors posting stories that are days old? Never!

Evidently, this is the exception that proves the rule.

Normally, they wait until a story is a month or two old, but someone screwed up and posted it before its time.

Re:Old Story (1)

plover (150551) | more than 4 years ago | (#27925065)

> Slashdot editors posting stories that are days old? Never!

Evidently, this is the exception that proves the rule.

Normally, they wait until a story is a month or two old, but someone screwed up and posted it before its time.

Don't worry, someone will post a dupe of it about the time it's due.

Re:Old Story (2, Informative)

jggimi (1279324) | more than 4 years ago | (#27925285)

Yes, but the most interesting part of the story is at Berkeley's website [berkeley.edu] . They were entirely unaware of the intrusion until the "highly skilled" intruders, having had their way with Berkeley's system(s) for eight months, "...left messages on the server."

Re:Old Story (2, Informative)

Jazzer_Techie (800432) | more than 4 years ago | (#27925647)

Here is the text of the email that was send out to the Berkeley community.

Colleagues,
We want to let you know that today the campus is sending notification letters and emails to members of our community to inform them of a computer breach that resulted in the theft of personal information from databases in our University Health Services, UHS, area.

The victims of this crime are current and former students, as well as their parents and spouses if linked to insurance coverage, who had UHS health care coverage or received services. We are also sending notification letters to Mills College students who received, or were eligible to receive, healthcare on the UC Berkeley campus.

We sincerely regret and apologize for any difficulty this theft may create for individuals who may have had their personal information exposed. We have alerted campus police detectives and the FBI, and are doing all that we can to investigate this crime. All of the exposed databases were immediately removed from service to make sure that they would be completely protected from any future attacks.

Those individuals directly affected by the theft will receive letters with detailed information on steps that they can take to protect their credit and identity. We have launched a dedicated web site, http://datatheft.berkeley.edu/ [berkeley.edu] that contains detailed information for affected individuals, the media and the general public. In addition a Data Theft Hotline, 888-729-3301 will be operating 24 hours a day, 7 days a week to answer questions from affected individuals.

UC Berkeley computer administrators determined on April 21 that electronic databases in UHS had been breached and data stolen by overseas criminals. The databases stored personally identifiable information used for billing such as Social Security numbers, and non-treatment medical information such as immunization history, UHS medical record numbers, dates of visits or names of providers seen, or for participants in the Education Abroad Program, certain information from the self-reported health history.

Please be assured that UHS electronic medical records, which include details of patients diagnoses~, treatments and therapies, are stored in a separate system and were not affected in this incident.

To ensure that we fully understand the nature of the security breach and to determine the steps that we can take to minimize the risk of a reoccurrence, the university has hired an outside auditor, Price Waterhouse Coopers, to support our ongoing investigation of the incident. The campus is committed to implementing recommendations that address the root causes of this security breach.

Steve Lustig
Associate Vice Chancellor
Health and Human Services

Shelton Waggener
Associate Vice Chancellor & CIO
Information Services & Technology

Time to live in secrecy (2, Interesting)

commodore64_love (1445365) | more than 4 years ago | (#27924129)

Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.

If you don't have these accounts, you won't be vulnerable to monetary or identity theft.

Re:Time to live in secrecy (2, Insightful)

ewanm89 (1052822) | more than 4 years ago | (#27924251)

you also wouldn't have any proof identification or citizenship. No driving licence... And someone stated some health records were stolen in this case.

Re:Time to live in secrecy (0)

Anonymous Coward | more than 4 years ago | (#27924669)

No bank accounts, no stock accounts, no credit cards other than maybe just one.

Funny you skipped the example pertinent to the example - no medicare.

And if you're going to have "maybe just one" credit card (which requires a bank account, btw), then that's no solution. Better to have a few, but keep each related to completely separate banks - reference and payments. Then while one's tied up by a scam, you've got another.

But face it -- you just can't function without records, unless you want to live some sort of Mennonite lifestyle, sans everything, including an internet connection, because companies will not deal with you.

What you need to do is educate* and irritate your legislature into passing and enforcing serious top-to-bottom privacy laws.

I gather that might be really hard in the states? Your heavy separation of federal and state spheres may need to be reviewed to deal with the decidely non-geographic problem of data security.

* Stop calling it 'identity theft'. That bullshit term places onus on the wrong party. Criminal A defrauds company B by posing as customer C. Customer C should not be involved beyond contact and confirmation that it wasn't them. The crime and cost of the fraud must remain between company B and criminal A. Calling it 'identity theft' lets companies dodge responsibility. People and legislators have to stop using the term.

Stolen Plot! (0)

Anonymous Coward | more than 4 years ago | (#27924171)

It sounds like someone stole the plot to The Cuckoo's Egg [amazon.com] , which is a real life story of overseas hackers using UC Berkley's computers to infiltrate military computers rather than medical data.

It wouldn't surprise me if this was an inside job to help get funding and laws through congress in order to consolidate medical records in the hands of the government.

Not surprisingly this comes soon after the NAS said we need to establish a policy of committing cyber attacks against "enemies."

http://www.google.com/search?hl=en&q=nas+cyber+attack

And... (3, Insightful)

Random2 (1412773) | more than 4 years ago | (#27924275)

...they left this information accessible to the public because?

Re:And... (2, Informative)

NoStarchPlox (1552983) | more than 4 years ago | (#27924313)

The information wasn't accessible through the public site. The problem was that the server compromised through the public website also contained the private databases.

Re:And... (2, Insightful)

Random2 (1412773) | more than 4 years ago | (#27924393)

But that's my point, why were they linked? Albeit more expensive, why not have a private server for just those databases, not connected to the internet? It seems like we need to worry about making our security better first so we don't have these problems. After all, removing the connection's the best way to stop someone hacking your computer.

Re:And... (2, Interesting)

davidwr (791652) | more than 4 years ago | (#27924579)

I once read an article about a "right" way to secure data. Even the authors admitted it wasn't foolproof but there point was, it was a lot more secure than what most people are using.

Every externally-facing computer was on its own sub-network, mostly isolated from everything else. Web sites, ftp sites, even wireless access points. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

Portions of the "corporate" network that didn't need to see each other were partitioned.

Internal web servers were in their own partition. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

When data needed to go from one part of the network to another, say, from an external or internal web site to a data server or from an employee data to an internal web site or file server in another department, it went through a very tightly controlled firewall.

This way, if a web server got compromised, the damage that could be done by "pwning" it was limited. Likewise, if one department's computers got infected, the damage was limited as well.

Now, this isn't foolproof, but in order to compromise the back-end data servers, someone would have to know specific information about the back end data center and the firewall that protected it. Only some of that information could be gleaned if a public or internal web site or other computer was compromised. An attacker would have to be very lucky, very persistent, or bribe an IT or other high-access employee to get what he wanted.

Or, if this were Hollywood, the attacker could just gain employment as a janitor, walk up to the door of the server room, kill the guards, blow the door open with some C4 he ordered over teh interwebs, and walk out of the building with the server, never to be seen again. But that's outside the scope of this discussion.

Sometimes you need an air gap (5, Insightful)

davidwr (791652) | more than 4 years ago | (#27924293)

It's not just military-grade information that needs protecting.

If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.

With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.

For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.

Re:Sometimes you need an air gap (2, Insightful)

Hatta (162192) | more than 4 years ago | (#27924467)

So when you go to the emergency room, how is the hospital supposed to query your electronic medical records at your family doctor when it's behind an air gap?

Maybe they aren't. Re:Sometimes you nee (2, Insightful)

davidwr (791652) | more than 4 years ago | (#27924715)

If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.

However, the details of your bout with the flu 2 years ago or your recovery from your car accident 10 years ago won't be available without human assistance. Neither will the details of your insurance coverage.

There is a balance that needs to be struck between "what could reasonably be so important it can't wait until normal business hours to access" and everything else. Only the former would be retrievable 24/7 without waiting for a person.

Re:Sometimes you need an air gap (1)

Red Flayer (890720) | more than 4 years ago | (#27925595)

Please, can we not call that "man in the middle"? That's a term to used to describe an attack vector.

"Gatekeeper" would be a far better term, IMO.

And for that matter, what you suggest is already used in meatspace... if you want to access public records, typically you need to go through a "custodian of records" or some such... this person helps ensure the validity of requests.

The problem with requiring a live person to act as a gatekeeper on digitally stored records is that in doing so, we lose a lot of the utility of having the records in a db in the first place.

The only other thing I'd like to note -- we have automated gatekeepers on data already (user validation, etc). These are circumventable (as evidenced by TFA, for example). People acting as gatekeepers can also be circumvented, both technologically (somehow spoof the approval or records release), or socially. Or they could be DoS'd by a huge number of requests that keeps them from allowing people who truly need access to get it. We'd be adding cost to maintaining the data, and I'm not sure how much benefit we'd get out of it.

'computers' hacked .. (1)

rs232 (849320) | more than 4 years ago | (#27924311)

How did they manage to not once mention what Operating System these 'computers' run on

Re:'computers' hacked .. (1, Troll)

get quad (917331) | more than 4 years ago | (#27924943)

I was modded as flamebait for actually asking this earlier in the discussion. Heaven forbid we actually know details.

Re:'computers' hacked .. (1)

Dr.Dubious DDQ (11968) | more than 4 years ago | (#27925451)

I was wondering about that myself, though it sounds like this was a compromised website issue rather than an OS issue. (So I guess the question is "was this a hole some programmer left in an ASP.NET page, or was it PHP? (or python or perl cgi)"...)

Break-in free zone signs (4, Funny)

Kohath (38547) | more than 4 years ago | (#27924315)

The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.

for those of you who don't get it... (0)

Anonymous Coward | more than 4 years ago | (#27924653)

Berkeley has these old "Nuclear Weapons Free Zone" signs all over.

Re:for those of you who don't get it... (1)

yali (209015) | more than 4 years ago | (#27925531)

If you detonate a nuclear bomb in Berkeley, you could be fined up to $500 and go to jail for thirty whole days.

No, I am not kidding [berkeley.ca.us] .

Why is this news? (1)

mc1138 (718275) | more than 4 years ago | (#27924331)

I mean, yeah its good that someone is reporting, but this sort of thing seems to be run of the mill these days. This sort of occurrence is happening more not less, to the point that security admins need to start taking this type of threat more seriously.

160,000 students records compromised (1)

viralMeme (1461143) | more than 4 years ago | (#27924451)

'Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk'

Re:160,000 students records compromised (1)

mc1138 (718275) | more than 4 years ago | (#27924847)

Thanks for copying the title of the article. Did you read what I wrote? Or just the title? I'm not saying the news shouldn't report it, but this isn't anything new, and we'll continue to see more new articles like this till systems and security admins start taking a more serious approach to protecting their infrastructures.

Who could benefit from this medical info? (4, Interesting)

Drakkenmensch (1255800) | more than 4 years ago | (#27924439)

Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...

Re:Who could benefit from this medical info? (2, Informative)

darkdaedra (1061330) | more than 4 years ago | (#27925131)

I got the e-mail -- I was a student there at the time. It wasn't the medical records that were compromised, just the SHIP (student health insurance plan) waiver application data that was stolen. Those waivers included SSNs. It's more of a credit/identity theft issue than a medical record issue -- unless of course identity thieves were using that information for health insurance applications, which is, I guess, a real possibility.

Re:Who could benefit from this medical info? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#27925347)

^^ I said this the other day in the article about Pbo trying to get EMR legislation passed.

I think the people that will benefit from this medical information are the Communist Russians (all the states currently run by KGB operatives), Islam (all muslims), North Koreans (Kim Jong Il), and [insert_favorite_fanatical_regime_here] etc. They will use it to develop new biological weapons (swine flu), and deploy them in neighboring 3rd world countries with non-existent border security (Mexico).

What I don't understand is this: If Russia was sending nuclear submarines filled with competent burglars to break into our buildings and steal our sensitive data, we would declare war and commence bombing. WHY oh God WHY don't we do the same for "cyber" crimes committed against us?

You want to stop Russian, Chinese, and Brazilian hackers? Fuck McAfee and Symantec; go to war with the damn country hacking us! Chances are, while these countries may afford citizens hacking enemy states, they won't/can't afford to go to war with the US.

I'm completely sick of the pussification of America, and our people wondering what to do. Our father's and grandfather's generation acted, and the world became a better place for it. I think I actually support the idea that the US needs a Civil War II to purge the nation of the pacifists and political corrects which have plunged us (the world) into a downward spiral of clashing ideals.

Re:Who could benefit from this medical info? (1)

Qzukk (229616) | more than 4 years ago | (#27925421)

mysteriously refused insurance coverage

It's unlikely that the insurance companies would act directly, after all, they'd be in really deep shit if they were found to be in possession of this data, and such an act would be too much of a coincidence to write off, especially after the first two or three Berkley students get rejected.

No, mid-to-large size corporations are the ones that'll use this. They'll be the ones that can afford a few bucks for "candidate screening" and since their employment decisions are secret, the people with pre-existing conditions would just be told that they're not a good match for the company. After all, hiring someone with cancer would drive up the insurance costs for everyone at the office, and that means more money not just out of the company's pocket, but likely out of the manager's pocket as well (on the easy assumption that the company doesn't pay 100% of the policy cost).

Re:Who could benefit from this medical info? (0)

Anonymous Coward | more than 4 years ago | (#27925585)

I wonder if possession of this stolen data by insurers or potential employers could be considered "receiving stolen goods"?

Re:Who could benefit from this medical info? (1)

maxume (22995) | more than 4 years ago | (#27925591)

God forbid the insurance companies serve their other customers.

If you want universal health care, say so. Complaining that insurance companies/em> try to make a profit is tiresome.

When will it be illegal to store/lose this data? (4, Interesting)

odin84gk (1162545) | more than 4 years ago | (#27924539)

When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.

Re:When will it be illegal to store/lose this data (0)

Anonymous Coward | more than 4 years ago | (#27925303)

2.) make it illegal to store a social security number/credit card number?

That's not the heart of the problem. There is nothing magical about a SSN beyond being a useful unique identifier to distinguish John Doe from John Doe.

The problem is that SSNs get used for both identification AND authentication!

>Hi, I want a credit card
-Name please?
>John Doe from NYC, NY
-Um, which John Doe? Is there some piece of information that uniquely identifies you?
>John Doe, SSN 123-45-6789
-We need to verify that you are actually this person. Is there some private information that you would never tell anyone and only you know?
>Well, my SSN is 123-45-6789
-Very good. Since obviously that's such a complicated and secret 9-digit number, you must obviously be who you say you are. Here's your new credit card.

y solution: The Social Security Administration announces that on July 1st, 2010, all SSNs and the names they are associated with will be published and available to everyone. Leave it up to the finance and health care industries to stop using SSNs as authentication.

Re:When will it be illegal to store/lose this data (1)

plover (150551) | more than 4 years ago | (#27925393)

Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.

Unfortunately, there is (and can be) no such proof. It's a part of the fundamentals of security: you can't prove a negative.

The way I see it, we really have three choices for protecting data:

  • Armor your systems against all the possible known attacks. Use firewalls, intrusion detection systems, encrypt the data, require smart card access mechanisms, patch your servers, blah, blah, blah.
  • Reduce or remove the sensitive data entirely. You do not have to protect it if you do not have it.
  • Take away the value of the data. If the data is no longer valuable, there will be no incentive to steal it.

The problem with the first approach is that's what we're all "supposed" to be doing, but obviously are not. With millions of sites and retailers etc., there are always going to be leaks.

The second solution is the easiest and best way to protect your organization. Why store the data if you don't need it? Do they really need my SSN in their database? They could use their own numbering system. Why do they need my address? If I'm in a hospital, I'm not at home, I'm in the bed in room 217C -- if they want to find me, I'm right there. Do they even need my name? Why do they need all these different identifiers, and why do they need to tie them all together in a common database?

The third option requires a fundamental change in how credit is granted, but is the one of the best approaches to stem the tide of data thefts across the board. While it would remove incentive to steal the data for financial reasons, it would do little to protect against data theft for other reasons (perhaps a list of HIV-positive patients could be used for extortion: pay me a million dollars or I post it on the web.)

These approaches are not mutually exclusive. We can employ them all at the same time. It's just that it has to be done, and without tools like lawsuits or other punishments, few organizations are doing them.

Re:When will it be illegal to store/lose this data (1)

mlts (1038732) | more than 4 years ago | (#27925773)

A fourth would be separation of data onto different databases on different servers. If social security numbers are not needed, have those stored in a smaller armored database that doesn't connect to the Web. Instead, use another number.

This way, if an application needs information, it can grab what it needs, but no more.

privacy? what privacy? (5, Funny)

bugi (8479) | more than 4 years ago | (#27924589)

So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.

I wish that were funny.

Re:privacy? what privacy? (0)

Anonymous Coward | more than 4 years ago | (#27925161)

I wish that were funny.

I wish it were too. Try harder next time.

H-1b Visa Use at UC Berkeley (0, Flamebait)

randall_burns (108052) | more than 4 years ago | (#27924677)

The University of California at Berkeley is also a heavy user [myvisajobs.com] of H-1b visas. The last 8 year, UC Berkeley has applied for 977 H-1b Visas. It isn't clear how many of these related to their computer staff-but traditionally about half of all H-1b visas are used for that purpose. It is simply not credible to bring numerous foreign workers from places where you can't even reliably do a background check(people are regularly declared dead in India and simply can't sort it out) and expect to maintain any semblance of security.

The management of UC Berkeley should be investigated for criminal negligence.

Re:H-1b Visa Use at UC Berkeley (0)

Anonymous Coward | more than 4 years ago | (#27924989)

Take a look at this fucking idiot, making a connection where none exists.

Re:H-1b Visa Use at UC Berkeley (1)

feranick (858651) | more than 4 years ago | (#27925187)

What an idiotic comment: Assuming that all H1b visa holders are fraudulent criminals. Americans, instead are all angels. Yeah, right. Come on, on the opposite of you, I actually work at UC Berkeley (and I am a US citizen). Most of the H1b are granted to researcher who are valued as an asset for the university. If the US education system would be better than what it is, you would see a much lower number of H1b visas at UC Berkeley.

copy of the e-mail that was sent out (0)

Anonymous Coward | more than 4 years ago | (#27924683)

Colleagues,
We want to let you know that today the campus is sending notification letters and emails to members of our community to inform them of a computer breach that resulted in the theft of personal information from databases in our University Health Services, UHS, area.

The victims of this crime are current and former students, as well as their parents and spouses if linked to insurance coverage, who had UHS health care coverage or received services. We are also sending notification letters to Mills College students who received, or were eligible to receive, healthcare on the UC Berkeley campus.

We sincerely regret and apologize for any difficulty this theft may create for individuals who may have had their personal information exposed. We have alerted campus police detectives and the FBI, and are doing all that we can to investigate this crime. All of the exposed databases were immediately removed from service to make sure that they would be completely protected from any future attacks.

Those individuals directly affected by the theft will receive letters with detailed information on steps that they can take to protect their credit and identity. We have launched a dedicated web site, http://datatheft.berkeley.edu that contains detailed information for affected individuals, the media and the general public. In addition a Data Theft Hotline, 888-729-3301 will be operating 24 hours a day, 7 days a week to answer questions from affected individuals.

UC Berkeley computer administrators determined on April 21 that electronic databases in UHS had been breached and data stolen by overseas criminals. The databases stored personally identifiable information used for billing such as Social Security numbers, and non-treatment medical information such as immunization history, UHS medical record numbers, dates of visits or names of providers seen, or for participants in the Education Abroad Program, certain information from the self-reported health history.

Please be assured that UHS electronic medical records, which include details of patients diagnoses~, treatments and therapies, are stored in a separate system and were not affected in this incident.

To ensure that we fully understand the nature of the security breach and to determine the steps that we can take to minimize the risk of a reoccurrence, the university has hired an outside auditor, Price Waterhouse Coopers, to support our ongoing investigation of the incident. The campus is committed to implementing recommendations that address the root causes of this security breach.

Steve Lustig
Associate Vice Chancellor
Health and Human Services

Shelton Waggener
Associate Vice Chancellor & CIO
Information Services & Technology

They did NOT steal medical records (0)

Anonymous Coward | more than 4 years ago | (#27924875)

Social security numbers were stolen, and some data about which doctors had been referred. However, it specifically says that medical records were stored on a different system, which was not compromised.

going on at other universities too (0)

Anonymous Coward | more than 4 years ago | (#27924925)

For the past several years, the management of university IT departments throughout the country have been more concerned with ITLP than they have been about providing reliable AND secure service.

The engineers who dare to point out that the emperor has no clothes are outshouted at once, and their names recorded for the next round of layoffs.

I am personally familiar with a HUGE security vulnerability involving SSNs at a very large and well-known university. The problem has existed for years, but management takes the approach of "we haven't had a breach, therefore we are secure" then pats itself on the back and gives itself a raise.

Soooo what were they running.... (0)

Anonymous Coward | more than 4 years ago | (#27925101)

Windows or a BSD flavor?

Wanna know the basic problem here? (0)

Anonymous Coward | more than 4 years ago | (#27925245)

From http://berkeley.edu/news/media/releases/2009/05/08_breach.shtml :

"The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server."

What idiot stores a database with sensitive info on a public webserver?????

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...