BreachExchange mailing list archives
berkeley letter: UC hacking leaves thousands at risk of ID theft
From: security curmudgeon <jericho () attrition org>
Date: Sat, 9 May 2009 05:50:25 +0000 (UTC)
---------- Forwarded message ---------- From: Skyler King <SKing () checkpoint com> http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/05/08/BAPA17H89B.DTL&feed=rss.bayarea Sent to students/employees: Dear Associate of UC Berkeley, We are writing to you because UC Berkeley`s University Health Services, UHS, recently learned that criminal computer hackers broke into electronic databases containing personal information belonging to some UHS clients and their parents or spouses. Although the investigation is still underway, we wanted to alert you as soon as possible that some of your personal information, including your Social Security number stored on those databases, was stolen, which puts you at risk for identity theft. It is also possible that your parents or guardian or spouse`s information was taken if you waived enrollment in the Student Health Insurance Plan, and they were the policy holder of your health coverage. In addition, the criminals may have stolen information related to your health insurance coverage and some of your non-treatment medical information such as Hepatitis B immunization history, UHS medical record number, dates of visits or names of providers seen, or for participants in the Education Abroad Program, certain information from the self-reported health history. You will receive a second notification letter from us if, in addition to your Social Security number, this information was also stolen. Please be assured that UHS electronic medical records, including patient diagnoses, treatments and therapies, are stored in a separate system and were not affected in this incident. We sincerely regret and apologize for any difficulty that this theft may create for you. We have alerted campus police detectives and the FBI, and we are doing all that we can to investigate this crime. We are also dedicated to assisting you with information about the incident and services that can help prevent or minimize the impact this theft may have on you. Protecting Your Personal Information Attached to this letter is a resource sheet to assist you with steps that you may wish to take to protect your identity and credit. As a precautionary measure, we urge you to create immediately a no-cost, formal fraud alert on your consumer credit file. If someone attempts to open a new credit card account in your name, this service will monitor activity on your account. We have also established a Data Theft Hotline, 888-729-3301. Trained personnel will be available 24 hours a day, 7 days a week to help you determine the full extent of your personal exposure and assist you with information about credit and identity protection services. When you call, you will be asked to provide personal information to validate your identity. Additional information can also be found on our dedicated web site: http://datatheft.berkeley.edu Background Information about the Theft UC Berkeley computer administrators determined on April 21, 2009 that restricted electronic databases had been illegally accessed by hackers, and that the data thefts began on October 9, 2008, and continued until April 6, 2009. All of the exposed databases were immediately removed from service to make sure that they would be completely protected from any future attacks. To ensure that we fully understand the nature of the security breach and to determine the steps that we can take to minimize the risk of a reoccurrence, the university has hired an outside auditor, Price Waterhouse Coopers, to support our ongoing investigation of the incident. Finally, please be aware that sometimes in these situations, dishonest people falsely identifying themselves as UC Berkeley representatives may contact you and offer assistance with the intention of obtaining more personal information from you. If you call our Data Theft Hotline the operator will need to ask for information to validate your identity, but we want to assure you that UC Berkeley will not contact you by phone, e-mail or any other method to ask you for personal information. If you are uncertain about any inquiry, please call our hotline directly. Sincerely, Steve Lustig Associate Vice Chancellor, Health and Human Services Shelton Waggener Associate Vice Chancellor & Chief Information Officer Understanding and Protecting Yourself from Identity Theft People who have had personal information stolen are at risk if they do not take steps to protect their identity. According to a Federal Trade Commission report, most identity theft involves the illegal use of credit card, bank, utilities, and other existing accounts. Fortunately, there are steps, described below, that you can take to protect yourself and your credit. In addition, extensive information on personal identity theft and fraud and protective steps you can take is available on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http://www.privacy.ca.gov. PLACING A FRAUD ALERT By placing a fraud alert on your consumer credit file, you let creditors know that they should watch for unusual or suspicious activity in any of your accounts, such as someone trying to open a credit card account in your name. To place a free fraud alert, call one of the three major credit reporting agencies listed below. Your phone call will take you to an automated phone system. Be sure to listen carefully to the selections and indicate that you are at risk for credit fraud. You need only contact one of these agencies, which will automatically forward the fraud alert to the other two. These agencies offer the initial fraud alerts at no charge. Equifax 888-766-0008 Consumer Fraud Division P.O. Box 740256 Atlanta, GA 30374 http://www.equifax.com Equifax home page http://www.equifax.com/answers/set-fraud-alerts/en_efx Equifax fraud alert information page Experian 888-397-3742 Credit Fraud Center P.O. Box 1017 Allen, TX 75013 http://www.experian.com Experian home page https://www.experian.com/consumer/cac/InvalidateSession.do?code=SECURITYALERT Experian credit fraud page http://www.experian.com/consumer/fraud_faqs.html#security Experian credit fraud FAQ TransUnion 800-680-7289 Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834 http://www.tuc.com TransUnion home page http://www.transunion.com/corporate/personal/fraudIdentityTheft/fraudPrevention/fraudAlert.page TransUnion fraud page Soon after you place a fraud alert, you will receive credit reports by mail from all three reporting agencies. In the credit report, check your personal information, including home address, Social Security number, etc., for accuracy. Look for any charges that you did not make. Watch for any accounts that you did not open. Note any inquiries from creditors that you did not initiate. If you find anything that looks suspicious or that you do not understand, call the credit agency at the telephone number listed on your credit report. You may also wish to call your local police or sheriff`s office to file a report of identity theft. PLACING A SECURITY FREEZE A security freeze means that your credit file cannot be shared with potential creditors unless you give your consent. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to obtain credit in your name. If you take this step any new creditors that request your file from one of the three credit bureaus will only obtain a message or a code indicating that the file is frozen. While you will be able to lift the freeze for legitimate inquiries, you should be aware that this can slow any credit approval process. A security freeze is free to those who have a police report of verified identity theft. To obtain a police report, contact your local police department. Give the police as much information on the theft as possible. One way to do this is to provide copies of your credit reports showing the items related to identity theft. Black out other items not related to identity theft. Give the police any new evidence you collect to add to your report. Be sure to obtain a copy of your police report. You will need to give copies to creditors and the credit bureaus. If you do not have a police report, it costs $10 to place a freeze with each credit bureau, for a total of $30. The credit bureaus require that freeze requests be made in writing. Samples of freeze request letters can be found at: http://www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis10securityfreeze.pdf Equifax Security Freeze P.O. Box 105788 Atlanta, GA 30348 Send by certified mail. Include name, current and former address, Social Security number and date of birth. Pay by check, money order or credit card, Visa, Master Card, American Express or Discover only. Give name of credit card, account number and expiration date. Experian Security Freeze P. O. Box 9554 Allen, TX 75013 Send by certified mail. Include full name, with middle initial and Jr./Sr., etc. Include current address and home addresses for past five years, Social Security number, birth date and two proofs of residence, such as a copy of driver's license, utility bill, insurance statement, bank statement. Pay by check, money order or credit card. Give name of credit card, account number and expiration date. TransUnion Security Freeze P. O. Box 6790 Fullerton, CA 92834 Send by regular or certified mail. Include first name, middle initial, last name, Jr./Sr., etc. Current home address and addresses for past five years, Social Security number and birth date. Pay by check, money order or credit card. Give name of credit card, account number and expiration date. Additional information on how to initiate a Security Freeze can be found on the Web site of the California Office of Privacy Protection: http://www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis10securityfreeze.pdf CREDIT MONITORING This service will send you e-mail alerts when new accounts, inquiries, negative information, credit-limit changes, and other items appear on your credit report. The following firms all offer credit monitoring services on a monthly basis with prices ranging from $4.95 to $14.95 a month. Please note that Federal Trade Commission and country`s leading consumer groups do not endorse this particular service. They suggest that signing up for a free Fraud Alert and placing a Security Freeze on your credit file offers a higher level of protection. Experian: http://www.experiandirect.com/triplealert/default.aspx?sc=668715 True Credit: https://www.truecredit.com/products/optimizedOrder.jsp?package=TriBureauCMU Identity Guard: http://www.identityguard.com/getprotected/landing.aspx Equifax: http://www.equifax.com/id-patrol/ _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- berkeley letter: UC hacking leaves thousands at risk of ID theft security curmudgeon (May 09)