On September 16th of this year, the servers that were used for the capital projects and physical plant units at the University of California, Berkeley were compromised. The breach involved servers and workstations in the Real Estate division which is responsible for commercial leasing and campus filming and facility use permits to name a few of their functions.
Once the breach was detected on September 26th the systems were taken offline and an investigation was launched. The university took steps to consult with a forensic security firm although, it is unclear if they ever informed law enforcement beyond that of the campus police. The servers in question housed files with personal information for which included names, social security numbers, credit card numbers and drivers licenses. It isn't clear how many people were affected by this data breach.
Now, while the school commits that "we have no evidence that an unauthorized individual has misused your personal information; however, there are some steps you should consider taking to protect yourself.” One should assume that since the data was compromised that the damage is already done. It would be wise for the affected parties to ensure that fraud alerting is set up with creditors in the event that someone attempts to open an account with that information. I’m always troubled by the “no evidence” statement as it provides the reader with the impression that their data has not been negatively impacted beyond the breach itself. Not nearly as troubling as the phrase “the laptop was password protected” when dealing with a stolen computer.
If you receive a letter from UC Berkeley regarding this data breach be sure to enroll in the credit monitoring program.
From UC Berkeley,
We have contracted with ID Experts®, a company that specializes in identity theft protection and fraud resolution, to provide you with a comprehensive one-year membership in their program. As part of your one year membership, you will receive credit monitoring and protection services for 12 months at no cost. We encourage you to contact ID Experts with any questions and to enroll in the free services by calling 877-846-6340 or going to www.myidcare.com/ucbinfo. ID Experts is available Monday through Friday from 6 am - 6 pm Pacific Time. Please note the deadline to enroll is March 20, 2015.
The part of this breach that really stuck out for me was the phrase, "as well as review and enhancement of information security controls in the Real Estate Division.” This leaves me with the idea that the systems in this division were not part of a centrally managed deployment. I’m not certain but, having read enough of these notices over the years I’m certainly left with that point of view.
I must admit that I am curious as to why it took as long as it did to make this breach disclosure announcement.
Be sure to patch and monitor your systems.