Campus alerts individuals to IT security breach

UC Berkeley officials announced today (Monday, Dec. 15) that they have begun notifying approximately 1,600  individuals that their personal information may have been hacked by an individual or individuals who gained access to servers and databases in the campus’s Real Estate Division.

Among the data were about 1,300 Social Security numbers and approximately 300 credit card numbers. Many of the individuals impacted are current or former campus employees, but the group also includes individuals with companies doing business with the division. The data cover a time period from the early 1990s to May 2014.

There is no evidence that hackers actually downloaded and used the personal information. Individuals are being notified so that they can be on alert for possible signs of misuse of their information. The notification is in compliance with California law.

“We understand that it’s disturbing to learn that your Social Security number or credit card number may have been exposed to hackers, and we truly regret that this has occurred,” said Paul Rivers, the university’s interim chief security officer. “We are encouraging those affected to take advantage of the free credit monitoring service that the university is offering to those impacted by the breach.”

The campus’s Real Estate Division, which includes the units formerly known as Capital Projects and Physical Plant-Campus Services,  has implemented a number of new protocols and processes to help prevent such an incident from occurring again. And campus technology officials are encouraging all campus units to review the campus’s information security policies and best practices.

The data breach involved unauthorized access to servers used to support a number of Real Estate Division programs. These servers were not a primary storehouse of personally identifying information: A limited number of files were found to contain such information. Examples include employee expense reimbursements, small companies that used personal Social Security numbers as tax identification numbers, and payments to outside consultants.

The breach was discovered in September and, in response, the affected servers were removed from the network. In the weeks that followed, the campus reviewed the data stored on the affected servers to locate personally identifying information and identify individuals affected. Because the compromised servers contained such a large volume of data, an outside firm was brought in to lead the search for any personally identifiable information on the servers. The bulk of the data review process regarding personally identifying data concluded the week of Nov. 17, and the process of identifying individuals impacted and gathering corresponding contact information for notification concluded last week. Notification letters went out starting Dec. 12.  Most individuals will have already received the letter, others will receive them in the coming days.

The campus Real Estate Division, working in coordination with campus IT officials, has been taking a number of steps to address the security breach. These include a review of all data involved in the breach and enhancing information security controls in the division.