Seeking to allay fears on data loss

Times Staff Writers

Mari Nicholson doesn’t know for sure that her recent problems with identity theft have anything to do with a major computer security breach disclosed this week by UCLA. But it might explain some weird coincidences.

Nicholson, a 2003 UCLA graduate, was among those who received e-mail notification Tuesday that their personal information may have been stolen by hackers who broke into a central UCLA database in the fall of 2005 and had access to sensitive records until last month.

On Tuesday, UCLA officials were scrambling to answer questions from Nicholson and thousands of worried students, alumni, employees and others about the hacker attack. The records of about 800,000 people were in the compromised database.

University officials have said that although hackers obtained some Social Security numbers, the university had no evidence that any of the information was misused.


But some people, such as Nicholson, started looking for patterns that might explain their recent financial troubles.

Now a graduate student at Johns Hopkins University in Maryland, Nicholson, 25, said she discovered problems with her credit file in October when she tried to apply for a federal student loan. She found that someone had taken out a $24,500 car loan and made other purchases in her name using identifying details about her, including an old address from her student days at UCLA.

Nicholson said she has spent hours nearly every day trying to straighten out her badly tarnished credit file -- notifying police, dealing with creditors and closely monitoring her credit reports. When she saw the e-mail that UCLA sent to potential victims, it all seemed to make sense.

“I thought, like, ‘Bingo!’ ” she said. “It may or may not be related, but it would sure solve a lot of the mystery of it.”


College computer systems throughout the country are becoming an increasingly popular target for hackers. Several security experts said the breach at UCLA appears to be one of the largest ever suffered by an American university.

The university sent e-mail or letters to those in the database for whom it had contact information. It also established a website to provide information and answer questions about the incident -- -- and set up a toll-free hotline: (877) 533-8082.

By 5 p.m., a spokesman said, the hotline -- actually 25 call centers around the country -- had received about 8,450 calls, many from people who had not received notification but had reason to believe they might be part of the affected group. By 2 p.m., the website had received 10,000 individual visitors.

“It goes without saying that most people are expressing concern,” UCLA spokesman Phil Hampton said. He added that at least 50 more calls had been fielded at the office of acting Chancellor Norman Abrams, who has sent potential victims a letter notifying them of the breach and expressing regret.


On campus, students and employees voiced concern about the incident and said it was the talk of dorms and offices.

“I haven’t heard of anybody who has had their Social Security number taken, but it’s a pretty scary thing,” said Teo Soleymani, 18, a second-year student who received notice that he was in the database. “The worst part is they found out just recently, and that’s terrible. I mean, how could some of it be so open and how could the administration not see it?”

Soleymani said he will monitor his credit card accounts carefully for unauthorized purchases.

Tejinder Aulakh, a computer science and engineering major who will graduate this month, said he was enrolled this quarter in a database course that covered computer security. “I feel pretty bad about this whole incident,” he said. “I wasn’t expecting UCLA to be so careless about this information.” He too said he planned to check his credit report within the week.


Jim Davis, UCLA’s associate vice chancellor for information technology, said the intruders appeared to have obtained information from only one of many sections of the database, although he added that he did not know what percentage of the total data was contained in the compromised section.

“The vast majority of files are in other sections, and we have no evidence that any of those have been accessed,” Davis said. He added that the database acts as a directory of contact information for students, alumni and employees and also holds some payroll, human resources and financial aid records.

Davis also clarified Tuesday that although most of the files in the affected database stretched from the early 1990s to the present, a few might involve former students or staff who studied or worked at UCLA before then.

“There could be a smattering of people like that, maybe some people who’ve come back and had some interaction with the university


Partly because of the growing risk of security breaches and identity theft, UCLA, like many other colleges and universities, in recent years has started to move away from using Social Security numbers as the primary identifiers for students and employees unless the number is required by law. Such required instances include payroll and financial aid forms.

“If it’s a key card access to a building or to a particular website, you shouldn’t have to have the full Social Security number for that,” Davis said. More often these days, he said, students are asked to supply the final four digits of their numbers or to choose user IDs.

UCLA’s action in notifying all those in the database was applauded by several privacy advocates, including Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer information and advocacy group.

For those who believe their information may have been compromised, Givens had several tips. She urged people to contact credit reporting agencies immediately and ask that a free 90-day fraud alert be placed in their records. She suggested that people consider freezing their credit reports, which costs $10 per credit bureau.


Her group’s website, www.privacyrights.orgcontains other tips, as does the website for the state’s Office of Privacy Protection,