Feeds

Feds probe huge California data breach

Details of 1.4m people exposed

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

The FBI is investigating the penetration of a university research system that housed sensitive personal data on a staggering 1.4m Californians who participated in a state social program, officials said on Tuesday.

The compromised system had the names, addresses, phone numbers, social security numbers and dates of birth of everyone who provided or received care under California's In-Home Supportive Services program since 2001, says Carlos Ramos, assistant secretary of the state's Health and Human Services Agency. The program pays a modest hourly wage to workers who provide in-home care for hundred of thousands of low-income elderly, blind and disabled people.

Officials say they have not determined whether or not the intruder actually downloaded the database, which had been made available to researchers at the University of California, Berkeley under a confidentiality agreement. "We don't know whether or not the information was accessed," says Ramos. "Since it is sensitive data we figured it would be best to get word out to people so they can take preventive measures just in case."

The agency is recommending that anyone who participated in the program since 2001 contact the three major credit reporting agencies to place a fraud alert on their credit profiles, and start monitoring their credit reports for signs of identity theft.

Ramos says the state has withdrawn the researcher's access to the database.

George Strait, head of U.C. Berkeley's Public Affairs office, confirmed the intrusion, and said the project involved "research into how to make better the delivery of care to people who are homebound."

Mass Disclosure

The intrusion appears the be the largest public disclosure so far under California's anti-identity theft law "SB1386," which requires companies and state agencies to inform Californians of any security breach in which such personal information is "reasonably believed to have been" compromised. In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website posting and by alerting the media. "That's why we're asking folks for help," says Ramos.

The law passed last year in the wake of an intrusion into a government system that housed information on approximately 265,000 state workers -- a fraction of the number at risk in the U.C. Berkeley intrusion.

The intruder used a known vulnerability to crack the university system on 1 August, but wasn't detected until 30 August. Ramos says the university didn't notify the agency until late September; the university says it reported the attack to the state within two weeks of discovery.

According to Ramos, the university had not been in compliance with the security rules the state sets out for research access to sensitive data. The incident has the agency reviewing its agreements with researchers, and looking at ways to verify security compliance. "We're reasonably certain that, had the researcher been in compliance, this would not be an issue," Ramos says.

Strait says he doesn't know anything about the security requirements, but that the university handled the intrusion properly. An FBI spokesperson confirmed the bureau was aware of the incident, but would not otherwise comment.

Copyright © 2004, SecurityFocus logo

Related stories

Investors fret about IT security
FBI publishes computer crime and security stats
Security cert body gives lesson in insecurity

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.