UCLA Notifies 800,000 of Data Breach

Some 800,000 people associated with UCLA have been notified that their names and certain personal information were in a database that was compromised by a hacker. The database contained personal information about current and former students, faculty and staff, and some applicants.

There are signs that at least some personal information has been obtained by the hacker, according to acting Chancellor Norman Abrams. The database includes names, Social Security numbers, dates of birth, home addresses and contact information.

Personal Information

"We take our responsibility to safeguard personal information very seriously," Abrams said. "My primary concern is to make sure this does not happen again and to provide to the people whose data is stored in the database important information on how to minimize the risk of potential identity theft and fraud."

According to the university, the hacker gained access using a software program that exploited an undetected flaw in their software.

On Nov. 21, computer security at UCLA noticed an unusually high volume of database queries. The investigation found that access attempts have been made for more than a year, beginning in October 2005. UCLA sent out notices on Dec. 12 to people who might have been affected.

Following the Steps

So far, UCLA appears to be doing everything by the book and, according to accounts, the security flaw appears to be a software problem caused by a third party vendor and not by lax internal processes, Scott Vernick, a partner with Fox Rothschild, said.

That could make all the difference if a person's data was compromised and it led to money theft. "It is conceivable that the university could be held liable if it were demonstrated that it did not take the appropriate safeguards," Vernick told TechNewsWorld.

Such a lawsuit would have a steep uphill climb. For the most part, data breaches have been punished by federal regulators, as consumers have little practical recourse in the legal system. However, as the problem worsens and more high profile thefts occur -- Vernick claimed this is probably the largest one that has occurred in an education facility -- that may change.

There were several bills pending in the last Congress about data security and notification procedures, and consumer advocates will press this issue in the upcoming session.

Federal Regulations

Thus far, more than 40 states have implemented their own notification policies. A federal law could preempt those laws, possibly lowering stringent standards in such states as California.

Meanwhile, companies are taking no chances.

"Sophisticated buyers of software and computer systems are making sure their agreements with vendors have indemnification clauses that would hold the vendor responsible for security breaches," Vernick explained. If UCLA had negotiated such a clause with its software vendor and it were to be sued by an identity theft victim, the software vendor would be the liable party.

Such agreements are becoming more commonplace across all industries, Vernick noted. "For instance, if a company uses one hotel for corporate use, that hotel likely has employee information. So, now what companies are doing when they negotiate the best rate, they are also negotiating indemnification clauses."