The hack into a UC Berkeley computer that compromised the personal information of hundreds of thousands of people may not be uncommon, according to analysts. The amount of information compromised, however, is huge.
“University computers in general are notoriously open to attack,” Steve Hunt, vice president and research director for Forrester Research’s security group. He said that university students and faculty strongly lobby to keep all information free and accessible, which is at odds with security concerns.
“I’m not saying Berkeley computers can be easily hacked,” Hunt told TechNewsWorld. “I’m saying that if security was found to be lacking, it probably didn’t raise any red flags.”
Berkeley’s announcement of the security breach — in which the hacker gained access to names, addresses, telephone numbers, Social Security numbers and birth dates of about 600,000 clients and workers of California’s In-Home Supportive Services program — may have more to do with a California law than with the nature of the attack, Hunt said.
California law requires any agency or business to notify anyone whose information may have been stolen. The law states that notification can be delayed if it would slow a criminal investigation, a provision that might explain why the breach, which occurred on August 1 and was discovered in early September, was not reported sooner.
The California Department of Social Services, the California Highway Patrol and the FBI are investigating. Hunt said that the FBI won’t investigate hacking cases unless there has been “significant loss,” which he estimated to be at least $100,000.
Even if each person’s information is valued at $1, that’s a $600,000 loss. Berkeley has said in a press release that there’s no evidence the information was actually taken. The information was stored on the computer of a visiting scholar at the Institute of Industrial Relations who was doing a statistical analysis examining provider pay and the quality of home health care in California, the university said.
“University students are naturally inquisitive and hacking is a result of inquisitiveness. They’re testing the boundaries. Probably every single computer at Berkeley has been hacked or has had someone try to hack it,” Hunt said.
The university said networking officials think the hole was left open when a non-Berkeley computer and server were linked to the campus network, but that there’s no evidence that the database was downloaded. Even so, the state has recommended that anyone involved in the home-care program since 2001 should get a credit check.