160,000 individuals who have received healthcare services from the University of California at Berkeley since 1999 have had personal information exposed to overseas hackers. Such personal information includes health insurance information, Social Security numbers, immunization records, and the names of the physicians the victims visited. The groups affected by the hacked database include current and former UC Berkeley students and family members, as well as 3,400 students from Mills College.
The database containing the information appears to have been exposed between October 9, 2008 and April 9. The server breach was discovered when a campus computer administrator was doing a routine maintenance and encountered messages left behind by the attackers. Even though campus police and the FBI were immediately notified of the breach, it wasn’t until April 21 that officials learned that data had been stolen.
Slavik Markovich, CTO of a California-based vendor of security products stated, “It appears that hackers gained access to the underlying databases by exploiting an SQL injection vulnerability in a Web application.” He added that usually when someone gains access to a database through a Web application, it is because of either a configuration error or because of an SQL injection flaw at the database layer of the application. From there, the hacker can gain access to the operating system and other databases or applications on the same server.
SQL injection is an amateur hacker tactic. This demonstrates the vulnerability of even established institutions like UC Berkeley and brings into question the amount of security placed on information that is to be kept confidential. A positive way of looking at this scenario is to recognize the fact that the attackers did not destroy the information they obtained. However, if they did, would the prestigious university have adequate backup?
One way of bouncing back from this particular instance is for the university to review its disaster recovery and data backup strategy in more detail. Large institutions can lose sight of all the possible disasters that can take place until it is too late. Should UC Berkeley consider outsourcing certain responsibilities, such as backup and failover, so that problems similar to this one are less likely to occur?
on Oct 11th, 2009 at 3:14 am
Super-Duper site! I am loving it!! Will come back again - taking your feeds too now, Thanks.
on Oct 11th, 2009 at 10:06 am
I‘m sure many of you are like me and one of the first things you do in the morning is head here and check out the new post. Along with seeing the new posts, I’m also always checking out the blog roll rss feed and watching them grow, or shrink sometimes. In one of my past …but all in all excellent site. Keep it up!