This database contains certain personal information about UCLA's current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. Approximately 3,200 of those being notified are current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing.
In a letter being sent to affected individuals, Acting Chancellor Norman Abrams said that personal information about at least some of the individuals was obtained by the hacker but that there is no evidence that any data has been misused. The database includes names, Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information.
"We take our responsibility to safeguard personal information very seriously," Abrams said. "My primary concern is to make sure this does not happen again and to provide to the people whose data is stored in the database important information on how to minimize the risk of potential identity theft and fraud."
UCLA blocked access to the Social Security numbers and the database when suspicious activity was detected on Nov. 21 and immediately activated its information technology security incident team. UCLA also notified the FBI, which is conducting an investigation.
Even though UCLA's ongoing investigation at this time indicates only that the hacker sought and obtained some of the Social Security numbers, out of an abundance of caution, the university decided to notify all 800,000 people whose names are listed in the restricted database.
"Ensuring data security is one of the most important responsibilities we have to the campus community, and in recent years we have significantly strengthened our information security practices in response to increasing attacks. In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications," said Jim Davis, UCLA's chief information officer and associate vice chancellor -- Information Technology. "We deeply regret the concern and inconvenience caused by this illegal activity. We have reconstructed and protected the compromised database and launched a comprehensive review of all computer security measures to accelerate systematic enhancements that were already in progress."
UCLA began sending notification letters and e-mails on Dec. 12, as soon as possible after determining that personal data was potentially accessed and after retrieving individual contact information. The letters suggest that recipients contact credit reporting agencies and take steps to minimize the risk of potential identity theft.
To provide information and respond to queries, UCLA has established a Web site.
