UCLA warns 800,000 about data break-in

LOS ANGELES — The University of California, Los Angeles, alerted about 800,000 current and former students, faculty and staff on Tuesday that their names and certain personal information were exposed after a hacker broke into a campus computer system.

Only a small percentage — "far less than 5 percent" — of the records in the database were actually accessed, UCLA spokesman Jim Davis said.

Still, it was one of the largest such breaches involving a U.S. university.

The intrusions began in October 2005 and ended Nov. 21 of this year, when computer security technicians noticed suspicious database queries, according to a statement posted on a school Web site set up to answer questions about the theft.

Davis said the hacker used a program designed to exploit an undetected software flaw to bypass security and get into the restricted database, which has information on current and former students, faculty and staff, and some student applicants and parents of students or applicants who applied for financial aid.

However, many of the records in the database do not link names and Social Security numbers, the two pieces of information the hacker was after, Davis said.

The university's investigation so far shows only that the hacker sought and obtained some of the Social Security numbers. Out of caution, the school said, it was contacting everyone listed in the database.

Acting Chancellor Norman Abrams said in a letter posted on the site that although the database includes Social Security numbers, home addresses and birth dates, there was no evidence any data have been misused.

The letter suggests, however, that recipients contact credit reporting agencies and take steps to minimize the risk of potential identity theft. The database does not include driver's license numbers or credit-card or banking information.

"We have a responsibility to safeguard personal information, an obligation that we take very seriously," Abrams wrote. "I deeply regret any concern or inconvenience this incident may cause you."

The breach is among the latest involving universities, financial institutions, private companies and government agencies. A stolen Veterans Affairs laptop contained information on 26.5 million veterans, and a hacker into the Nebraska child-support computer system may have gotten data on 300,000 people and 9,000 employers.

Security experts said the UCLA breach, in the sheer number of people affected, appeared to be among the largest at an American college or university.

In 2005, a database at the University of Southern California was hacked, exposing the records of 270,000 individuals.