berkeley letter: UC hacking leaves thousands at risk of ID theft

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: Skyler King <SKing () checkpoint com>

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/05/08/BAPA17H89B.DTL&feed=rss.bayarea

Sent to students/employees:

Dear Associate of UC Berkeley,

We are writing to you because UC Berkeley`s University Health
Services, UHS, recently learned that criminal computer hackers broke
into electronic databases containing personal information belonging to
some UHS clients and their parents or spouses.

Although the investigation is still underway, we wanted to alert you
as soon as possible that some of your personal information, including
your Social Security number stored on those databases, was stolen,
which puts you at risk for identity theft. It is also possible that
your parents or guardian or spouse`s information was taken if you
waived enrollment in the Student Health Insurance Plan, and they were
the policy holder of your health coverage.

In addition, the criminals may have stolen information related to your
health insurance coverage and some of your non-treatment medical
information such as Hepatitis B immunization history, UHS medical
record number, dates of visits or names of providers seen, or for
participants in the Education Abroad Program, certain information from
the self-reported health history. You will receive a second
notification letter from us if, in addition to your Social Security
number, this information was also stolen.

Please be assured that UHS electronic medical records, including
patient diagnoses, treatments and therapies, are stored in a separate
system and were not affected in this incident.

We sincerely regret and apologize for any difficulty that this theft
may create for you.  We have alerted campus police detectives and the
FBI, and we are doing all that we can to investigate this crime. We
are also dedicated to assisting you with information about the
incident and services that can help prevent or minimize the impact
this theft may have on you.

Protecting Your Personal Information

Attached to this letter is a resource sheet to assist you with steps
that you may wish to take to protect your identity and credit. As a
precautionary measure, we urge you to create immediately a no-cost,
formal fraud alert on your consumer credit file.  If someone attempts
to open a new credit card account in your name, this service will
monitor activity on your account.

We have also established a Data Theft Hotline, 888-729-3301. Trained
personnel will be available 24 hours a day, 7 days a week to help you
determine the full extent of your personal exposure and assist you
with information about credit and identity protection services. When
you call, you will be asked to provide personal information to
validate your identity.

Additional information can also be found on our dedicated web site:
http://datatheft.berkeley.edu

Background Information about the Theft

UC Berkeley computer administrators determined on April 21, 2009 that
restricted electronic databases had been illegally accessed by
hackers, and that the data thefts began on October 9, 2008, and
continued until April 6, 2009.  All of the exposed databases were
immediately removed from service to make sure that they would be
completely protected from any future attacks.  To ensure that we fully
understand the nature of the security breach and to determine the
steps that we can take to minimize the risk of a reoccurrence, the
university has hired an outside auditor, Price Waterhouse Coopers, to
support our ongoing investigation of the incident.

Finally, please be aware that sometimes in these situations, dishonest
people falsely identifying themselves as UC Berkeley representatives
may contact you and offer assistance with the intention of obtaining
more personal information from you. If you call our Data Theft Hotline
the operator will need to ask for information to validate your
identity, but we want to assure you that UC Berkeley will not contact
you by phone, e-mail or any other method to ask you for personal
information. If you are uncertain about any inquiry, please call our
hotline directly.



Sincerely,



Steve Lustig
Associate Vice Chancellor, Health and Human Services

Shelton Waggener
Associate Vice Chancellor & Chief Information Officer




Understanding and Protecting Yourself from Identity Theft

People who have had personal information stolen are at risk if they do
not take steps to protect their identity. According to a Federal Trade
Commission report, most identity theft involves the illegal use of
credit card, bank, utilities, and other existing accounts.
Fortunately, there are steps, described below, that you can take to
protect yourself and your credit. In addition, extensive information
on personal identity theft and fraud and protective steps you can take
is available on the Web site of the California Office of Privacy
Protection, a division of the state Department of Consumer Affairs,
http://www.privacy.ca.gov.

PLACING A FRAUD ALERT
By placing a fraud alert on your consumer credit file, you let
creditors know that they should watch for unusual or suspicious
activity in any of your accounts, such as someone trying to open a
credit card account in your name.

To place a free fraud alert, call one of the three major credit
reporting agencies listed below.
Your phone call will take you to an automated phone system. Be sure to
listen carefully to the selections and indicate that you are at risk
for credit fraud. You need only contact one of these agencies, which
will automatically forward the fraud alert to the other two. These
agencies offer the initial fraud alerts at no charge.

Equifax
888-766-0008
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
http://www.equifax.com
Equifax home page
http://www.equifax.com/answers/set-fraud-alerts/en_efx
Equifax fraud alert information page

Experian
888-397-3742
Credit Fraud Center
P.O. Box 1017
Allen, TX 75013
http://www.experian.com
Experian home page
https://www.experian.com/consumer/cac/InvalidateSession.do?code=SECURITYALERT
Experian credit fraud page
http://www.experian.com/consumer/fraud_faqs.html#security
Experian credit fraud FAQ

TransUnion
800-680-7289
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834
http://www.tuc.com
TransUnion home page
http://www.transunion.com/corporate/personal/fraudIdentityTheft/fraudPrevention/fraudAlert.page
TransUnion fraud page

Soon after you place a fraud alert, you will receive credit reports by
mail from all three reporting agencies. In the credit report, check
your personal information, including home address, Social Security
number, etc., for accuracy.  Look for any charges that you did not
make.  Watch for any accounts that you did not open.  Note any
inquiries from creditors that you did not initiate.

If you find anything that looks suspicious or that you do not
understand, call the credit agency at the telephone number listed on
your credit report. You may also wish to call your local police or
sheriff`s office to file a report of identity theft.

PLACING A SECURITY FREEZE
A security freeze means that your credit file cannot be shared with
potential creditors unless you give your consent. If your credit files
are frozen, even someone who has your name and Social Security number
would probably not be able to obtain credit in your name. If you take
this step any new creditors that request your file from one of the
three credit bureaus will only obtain a message or a code indicating
that the file is frozen. While you will be able to lift the freeze for
legitimate inquiries, you should be aware that this can slow any
credit approval process.

A security freeze is free to those who have a police report of
verified identity theft. To obtain a police report, contact your local
police department. Give the police as much information on the theft as
possible. One way to do this is to provide copies of your credit
reports showing the items related to identity theft. Black out other
items not related to identity theft. Give the police any new evidence
you collect to add to your report. Be sure to obtain a copy of your
police report. You will need to give copies to creditors and the
credit bureaus.

If you do not have a police report, it costs $10 to place a freeze with each
credit bureau, for a total of $30. The credit bureaus require that freeze
requests be made in writing.

Samples of freeze request letters can be found at:
http://www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis10securityfreeze.pdf


Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Send by certified mail.
Include name, current and former address, Social Security number and
date of birth.  Pay by check, money order or credit card, Visa, Master
Card, American Express or Discover only. Give name of credit card,
account number and expiration date.

Experian Security Freeze
P. O. Box 9554
Allen, TX 75013
Send by certified mail.
Include full name, with middle initial and Jr./Sr., etc.  Include
current address and home addresses for past five years, Social
Security number, birth date and two proofs of residence, such as a
copy of driver's license, utility bill, insurance statement, bank
statement.  Pay by check, money order or credit card. Give name of
credit card, account number and expiration date.

TransUnion Security Freeze
P. O. Box 6790
Fullerton, CA 92834
Send by regular or certified mail.
Include first name, middle initial, last name, Jr./Sr., etc.  Current
home address and addresses for past five years, Social Security number
and birth date.  Pay by check, money order or credit card. Give name
of credit card, account number and expiration date.

Additional information on how to initiate a Security Freeze can be
found on the Web site of the California Office of Privacy Protection:
http://www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis10securityfreeze.pdf

CREDIT MONITORING
This service will send you e-mail alerts when new accounts, inquiries,
negative information, credit-limit changes, and other items appear on
your credit report. The following firms all offer credit monitoring
services on a monthly basis with prices ranging from $4.95 to $14.95 a
month.  Please note that Federal Trade Commission and country`s
leading consumer groups do not endorse this particular service. They
suggest that signing up for a free Fraud Alert and placing a Security
Freeze on your credit file offers a higher level of protection.

Experian: http://www.experiandirect.com/triplealert/default.aspx?sc=668715
True Credit:
https://www.truecredit.com/products/optimizedOrder.jsp?package=TriBureauCMU
Identity Guard: http://www.identityguard.com/getprotected/landing.aspx
Equifax: http://www.equifax.com/id-patrol/
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss