Clifford Stoll, a researcher at the University of California
at Berkeley, once discovered a 75-cent discrepancy in billing for his university computer time. His investigation, recounted in the book Cuckoo's Egg,
is one of the best-documented attempts to track down a criminal hacker (cracker). If you haven't read it, I recommend it. Now UC Berkeley has another mystery on its hands and a bit of egg on its face.
A database containing up to 1.4 million names, addresses, phone numbers, social security numbers, and dates of birth may have been viewed last August by outside criminal hackers (crackers). Sadly, the potential victims are the elderly, the disabled, and their caregivers.
In what officials describe as possibly the most extensive computer data intrusion in the university's history, a database containing up to 1.4 million names, addresses, phone numbers, social security numbers, and dates of birth may have been viewed last August by outside crackers. Sadly, the potential victims are the elderly, the disabled, and their caregivers. I emphasize that the intruders may have accessed this database; there have been no reports of identity theft from this incident, and it's unclear whether the database was accessed or downloaded to another computer. Still, the California Department of Social Services is urging anyone who has used the In Home Social Service program since 2001 to take preventive action to stop any related identity thefts.
California law SB 1386
When you put a credit card online or supply your social security number to a government agency, you assume that the data is safe. But sometimes your personal data is loaned out to third parties, and that's the weak spot where crackers are able to break in. In this case, the California Department of Social Services agreed to let a visiting California Berkeley researcher have a copy of its In Home Support Services database to study the affects of low wages and employee turnover among caregivers for the elderly and the disabled. Apparently, the researcher, identified in a UCLA student newspaper as Candace Howes, a visiting scholar from Connecticut College, failed to take appropriate security precautions on her computer. Crackers gained access to the researcher's computer by exploiting a software vulnerability; the university declined to name the software involved. Whether the database of 1.4 million individuals actually ended up in the hands of a wrongdoer won't be known until the investigation is complete.
Nonetheless, there's a law in California, SB 1386, which states that any security compromises involving nonencrypted databases containing at least the first name, last name, address, phone number, social security number, and date of birth of California residents must be disclosed, either by mail or via the media. Public notification can be delayed if the company or government agency contacts law enforcement agencies first, in which case, the disclosure may follow an investigation by law enforcement. In late August, the University of California Berkeley conducted its own investigation, then in September, asked the FBI for assistance. California state officials decided to go public with the computer compromise last Wednesday, although the investigation continues.
Starting in December 2004, the Fair and Accurate Credit Transaction Reporting Act (FACTA) of 2003 will allow residents in the Western United States to receive one free credit report listing data from all three credit bureaus each year.
California's senior U.S. senator, Dianne Feinstein, has attempted to create a national law similar to SB 1386, but her bill has languished in the Senate. Apparently, some see the disclosure rule as punitive toward companies and government agencies, opening them up to potential lawsuits. On the other side, however, companies and governments are safeguarding their personal information databases better today because of SB 1386. And customers are finding out in advance that their credit history may be at risk now, rather than discovering the fact years later. I think this should be a national law, and I think all U.S. companies should be required by law to protect the personal information of its employees and customers.
What to do next
Why is it so important that you find out? Because should you learn that a database containing your personal information has been breached, you can take the following steps to protect yourself against any further damage. First, contact the three major credit bureaus and ask that a fraud alert be placed on your credit history. The alert will remain in effect for 90 days and will flag any merchant or bank accessing your credit report that the potential for fraud exists. Merchants and banks should then do a more thorough job of checking the identity of the purchaser. The three credit bureaus are:
P.O. Box 740241
Atlanta, Georgia 30374-0241
P.O. Box 2104
Allen, Texas 75013
P.O. Box 1000
Chester, Pennsylvania 19022
Currently, residents in most states are charged for requesting copies of their individual report. I think that's wrong. So does Congress. Starting in December 2004, the Fair and Accurate Credit Transaction Reporting Act (FACTA) of 2003 will allow residents in the Western United States to receive one free credit report listing data from all three credit bureaus each year. While the law is designed to correct errors in the report, it is also a valuable tool in spotting potential abuses. In March 2005, residents in the Midwest will be eligible for their free report, and in June, so will residents in the South, and in September, those in the Northeast. In December 2004, the Federal Trade Commission Web site will post more information on the program, including a toll-free number to request your free report.
The University of California at Berkeley plan for complying with SB 1386 is online for all to see. It clearly states, "Collect and retain only that data which is essential to the performance of assigned tasks." I can't help but wonder why any academic researcher would need social security numbers. But it's always an unfortunate incident such as this that first alerts us to a problem.
Do you agree that governments and corporations should tell us when consumer databases with personal information are compromised? Talk back to me.