An open meeting was held on Monday, May 11 to discuss a security breach of the UC Berkeley Tang Center, in which hackers accessed the electronic records database that held personal information for tens of thousands of UC Berkeley and Mills students.
The meeting was held to inform the Mills community of how the information was compromised, and to answer questions regarding the degree to which Mills students are affected and what can be done to protect them from identity theft.
The databases contained 97,000 Social Security numbers, health insurance information and medical records. Among those affected are 3,400 Mills students.
“To our knowledge at this point no one’s identity has actually been stolen,” said Joi Lewis, Dean of Student Life. “However, we want to make sure that we’re being proactive just in case some of those things might happen, what are things that you should do.”
Representatives from UC Berkeley attended the meeting to provide information on how hackers were able to access the information, and what steps are being taken to notify students that their identities could be at risk.
Claire Holmes, Associate Vice President of Communications, and Sheldon Waggener, Associate Vice President of Information Technology, were available to answer questions.
Waggener explained that the information was personally identifiable for eligibility purposes, and included student’s names, addresses, and social security numbers.
“Basically the information that we had from Mills is provided for eligibility purposes,” said Waggener. “That file from Mills is stored in a database, and that database was hacked. So in there, one of the identifiers is your social security number. So your social security number was stolen by virtue of this hack.”
She added, “So what you should be aware of is that information can be used by someone who wants to perpetrate identity theft.”
Waggener noted two possible forms of identity theft possible in this type of situation. One is credit identity theft, which occurs if someone tries to open an account in another person’s name. The other is medical identity theft, in which someone uses another person’s name and personal information to obtain medical care.
He recommended that students place a free fraud alert to protect themselves from identity theft.
“These could just be malicious hackers, we don’t know. But we do know that that data was taken,” Waggener said.
The theft occurred between Oct. 8, 2008 and Apr. 6, 2009.
“We began to do the forensics to determine what was taken and when. There are some 17 million log entries so there are a lot of needle in a haystack kind of problems,” said Waggener.
University detectives and an FBI task force were notified and together provided information for the criminal investigation currently underway.
A security and identity team has also been constructed to determine how the hackers got past security in the system.
Waggener said that these types of attacks are common. He also explained investigators believe the hackers came through a public network because the information was on a shared system.
“In the meantime, you definitely should be aware that this type of theft does not mean that your identity has been stolen but it’s something to be concerned about.”
Students asked questions to clarify whether the entire student body was effected by the break-in or just some.
“Every Mills student, for eligibility purposes was effected,” said Waggener.
He also clarified for students how the fraud alert service works, explaining that there are versions that are both free and require a small fee, but the only difference is that the free service must be reactivated after 90 days.
“It only takes one phone call, but you have to be the one to do it. We couldn’t do it for you,” said Waggener.
He also acknowledged that credit companies often try to sell a similar service of fraud alert, but everyone has the right to it for free.
Senior Emily Leavitt was concerned that her information would be used for identity theft. She came to the meeting to find out what student’s rights were in these situations.
“I’m going to call the number and make a fraud alert,” said Leavitt. There are steps you can take to fix it, it’s not like you can’t do anything.”
Claire Holmes explained that students were informed via email that their records had been stolen, and another letter will be sent to students’ homes.
To place a free fraud alert, call Equifax at 888-766-0008, Experian at 888-397-3742, or Transunion at 800-680-7289.
