UCLA Screws 800K

Lax security at the campus of UCLA allowed hackers a year and more to harvest and collect personally identifiable data from its servers. 800,000 people are being notified that their data was exposed.

From the AP here:

LOS ANGELES – The University of California, Los Angeles alerted about 800,000 current and former students, faculty and staff on Tuesday that their names and certain personal information were exposed after a hacker broke into a campus computer system.

Only a small percentage “far less than 5 percent” of the records in the database were actually accessed, UCLA spokesman Jim Davis told The Associated Press.

The attacks in started October 2005 and ended Nov. 21 of this year, when computer security technicians noticed suspicious database queries, according to a statement posted on a school Web site set up to answer questions about the theft.

Davis said the hacker used a program designed to exploit an undetected software flaw to bypass security and get into the restricted database, which has information on current and former students, faculty and staff, and some student applicants and parents of students or applicants who applied for financial aid.

Many of the records in the database do not link names and Social Security numbers, however, the two pieces of information the hacker was after, Davis said.

The university’s investigation so far shows only that the hacker sought and obtained some of the Social Security numbers. Out of caution, the school said, it was contacting everyone listed in the database.

I question what this “undetected software flaw” was? Undetected by whom? Certainly the hackers (and there were likely several gangs of hackers taking advantage of the weakness) knew what this software flaw was. My guess is it was a SQL code injection. Someone will certainly be fired over this egregious breach.