MICHELE NORRIS, host:
From NPR News, this is ALL THINGS CONSIDERED. I'm Michele Norris.
NOAH ADAMS, host:
And I'm Noah Adams.
It may be the largest computer breach ever at an American university. UCLA is warning 800,000 current and former students and staff that their personal information - names, addresses, social security numbers - may have been accesses by a computer hacker.
Rachael Myrow of member station KPCC in Los Angeles has the report.
RACHAEL MYROW: How did it happen? Jim Davis is the chief information officer at the University of California Los Angeles.
Mr. JIM DAVIS (Chief Information Officer, UCLA): Plain and simple, it was a direct attack. It was malicious and targeted on this particular database, going after the names and social security numbers. They found a vulnerability in one of hundreds of applications, which allowed the attackers to exploit and get into the database.
MYROW: UCLA officials said attempts to break into a central campus database began in October 2005 and ended November 21st this year when the activity was discovered and stopped. That's an awfully long time, acknowledges Davis. But, he says, the attack was quite sophisticated.
Mr. DAVIS: The attack exploited a very, very subtly vulnerability and it was designed to cover its tracks.
MYROW: UCLA Acting Chancellor Norman Abrams sent out a letter to the 800,000 affected. Abrams wrote the university has no evidence any of the information has been misused. But there's no evidence the information hasn't been or won't be misused in the future.
Jay Foley heads the Identity Theft Resource Center, a San Diego based non-profit. This breach, he says, is another reminder of how sensitive and vulnerable personal information is.
Mr. JAY FOLEY (Identity Theft Resource Center): Everybody has to realize that if you collect it, you're responsible for it.
MYROW: Foley adds a breach is not the same as identity theft. That technically happens when a criminal uses your good credit rating to go on a shopping spree or your valid citizenship to land a job. So in the case of this current breach what are these potential victims to do?
Mr. FOLEY: Well, the first and foremost thing that you're going to do is you're going to place fraud alerts on your credit report. Now, the fraud alert is only a 90 day temporary situation. So that means it falls on you to renew those fraud alerts every 90 days until you feel comfortable. My personal recommendation would be a minimum of two years.
MYROW: Experts also recommend people comb through bank and credit card statements every month, if not every week, online. The UCLA incident is the latest in a series of security breaches at large employers in education, business, and government.
But schools are more likely to come forward when breaches occur, says Rodney Petersen, Security Task Force Coordinator for EDUCAUSE, a non-profit that focuses on technology issues in higher education.
Mr. RODNEY PETERSEN (EDUCAUSE): Well, with respect to what is publicly known, I do believe that colleges and universities perhaps are disproportionately reporting incidents and therefore it blurs the public image of what's happening in other sectors.
MYROW: Security breaches in the corporate world have come to the attention of the public in large part due to a California law that went into effect in 2003. The measure requires disclosure whenever a state resident's personal information is, quote, “reasonably believed to have been acquired by an unauthorized person,” end quote. In recent years, more than 30 other states have adopted similar laws.
For NPR News, I'm Rachael Myrow, in Los Angeles.
ADAMS: And UCLA has set up a telephone number and Web site for those affected by this breach. You can find that information at our Web site, NPR.org.