Russell's Blog

The LA Times is reporting that a database containing personal records of 800,000 UCLA students, staff and faculty was breached. Not only was it hacked, but it took them a year to notice.

UCLA officials said the attack on a central campus database exposed records containing the names, Social Security numbers and birth dates -- the key elements of identity theft -- for at least some of those affected. The attempts to break into the database began in October 2005 and ended Nov. 21, when the suspicious activity was detected and blocked, the officials said.

This is a somewhat ambiguous way of phrasing it. If "Nov. 21" is meant to be November 2006, then it took UCLA a more than a year to notice what was happening. If it was November 2005, then it took them more than a year to fess up. Either way, it's disastrously incompetent.

As it often does, the LA Times takes the most stupid possible position on the problem. Instead of criticizing UCLA for its incompetence, they conclude that it is the "openness" of universities that lead to these breaches.

The UCLA incident is the latest in a series of computer security breaches affecting private organizations, financial institutions, government agencies and other large employers. Partly because of their tradition of openness, universities are proving to be a favorite -- and often vulnerable -- target, several experts in the field said Monday.

"Universities tend to have a lot of information floating around in a lot of different places," said Jay Foley, executive director of the Identity Theft Resource Center, a San Diego-based nonprofit. "They are places we send our children to share ideas, and it's hard to mix the open sharing of ideas with the need to tighten down on security."

This is so stupid it makes me see red. There is no conflict between "the open sharing of ideas" and protecting people's social security numbers. The LA Times is pushing the narrative that technological progress is incompatible with privacy and free speech.

No, dipshits. Incompetent database management is incompatible with privacy, and "the open sharing of ideas" has nothing to do with it.

The most infuriating thing about these breaches is that, for the most part, universities and companies have no use for this data. The data they do need is ineptly and haphazardly scattered around the organization in dozens or hundreds of semi-formal databases, usually replicated inaccurately and incompletely by hand on an ad-hoc basis. It usually isn't the database that is actually important to the institution that gets hacked; it's one of the little ones that was set up to solve some side problem in an organizational backwater. Once those databases are created, they always grow; institutional instinct is to always collect more information, and to keep it as long as possible. It is the marriage of proliferating, non-critical and ineptly administered databases of sensitive information with institutional instincts about record keeping is destroying our privacy.

The solution, I think, is more, not less "openness." Stop asking people to register, sign in, or create an account in order to do trivial things. I understand the need to associate people's social security number with, for example, their payroll information, or their grade transcripts. Hire professionals to build, administer and protect those databases, and they can be as safe or safer than paper records. I do not understand the need to place this information in databases used control access to the gym, library, parking garages, et cetera. Anonymity and physical security are the solutions to these privacy threats. It might cost more to let the general public access those facilities, but I think that is a small price to pay for limiting the number of targets for would-be identity thieves.

Update:

It looks like I am among the 800,000 :

...

I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused.

...

I guess I should be glad that I live in California, where they are at least required to tell me when this shit happens.