1

The Experience of a Large Database Security Breach

Jim Davis Associate Vice Chancellor & CIO

Securing California

2

What Does it Feel Like

Denial --> Acceptance

Technical --> Personal

Local --> Institutional [lost laptop different]

Comfortable --> Vulnerable

No longer the same

3

Agenda

Decision to notify Notification Email, Letters, Call Center, Website, Media, Calls People, People, People Aftermath Lessons Learned

4

UCLA Security Incident

Attack detected November 21, 2006

Incident Response Plan put into action• Took server offline• Appropriate notifications and engaged FBI• Began forensic analysis of logs

Sophisticated attack, activity concealed

5

UCLA Security Incident

Compromised database contained records for 803,000 persons

• Current & Former Students (UCLA)• Current & Former Employees (UCLA, UCOP, UCM)• Applicants (UCLA)• Parents of Financial Aid Applicants (UCLA)

Contained Names & SSNs • No Drivers License, Credit Card or Bank Account

numbers

6

Decision to Notify

Notification authority rests with CIOWell-established incident response protocolThe decision panel

ISO IPO Dir responsible for breached database operation Campus network architect Legal counsel UC IPO

7

Primary notification criteria

Determining the Threshold for Security Breach Notification

Factors

A-1. Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information.

A-2. Indications that the information has been downloaded or copied, for example: an ftp log that contains the name of a file containing notice triggering information.

A-3. Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

8

The Important Additional Criteria

The University of California recommends consideration of these additional factors:

Factors

B – 1. Duration of exposure.

B – 2. Indications that any download or copy activity has occurred, even if there is no specific evidence that there was a download or copy of data subject to the law.

B – 3. The extent to which the compromise indicates a directed attack, such as a pattern showing the machine itself was specifically targeted.

B – 4. Indication that the attack intended to seek and collect personal information.

9

Decision Tensions

Big difference in impact on institution between 10’s 000 vs. 100’s 000 of notifications

Big difference in logistics to notify between 10’s 000 and 100’s 000

Wait too long to notify, not responsive Wait too long to notify, lose capacity to manage

relationships Notify too quickly, not prepared to manage relationships Notify too many, too quickly unnecessary alarm Informed people protect themselves better UCLA’s philosophical position on individual privacy is to

keep people informed

10

Notification Logistics

Notification process project managed by executive lead of unit

Federated environment Policy puts primary resource burden on unit

Notification logistics and execution team Unit Executive Head Dir responsible for breached database operation CIO ISO IPO Campus network architect Legal counsel Media and communications

Functioned like an emergency response team

11

The Decision Chart

Week 1 Week 2 Week 3 Week 4

800 K

Notification Decision

Notification Process

Large NotificationLogistics Decision

800K NotificationDecision

NotificationEffort

Notification#

12

Notification

Decided to notify 803,000 • Email, US Mail

• Addresses for 70%

• Press releases and media reports• News outlets California, nation and world• LA Times, NY Times, AP, CNN, all local TV stations

• www.identityalert.ucla.edu

• 26 Call Centers, 1600 Operators 1000 calls/hour initially 35,000 calls received to date 400 follow-up calls

• Reached 75-80% of affected population Institutional relationship maintained

13

Scripting for A Call Center

Script must be precise, thorough and ‘bullet – proof’

Script and operators must be amenable to immediate corrections and enhancements

Script must allow for quick and simple coding into a database

14

Adjusting the Script:

Original Script Greeting:“Thank you for calling the UCLA Identity Alert Hotline. I

would like to assist you. UCLA knows that this incident has caused concern, and I want to provide you with the information and suggest steps you can take to protect yourself from the possibility of identity theft. So that I can better assist, can you please tell me whether you received notification from the university or whether you heard about the call center from news media reports?”

Script 1 hour Later:“Thank you for calling the UCLA Identity Alert Hotline.

How may I help you?”

15

Call Center Statistics:December 2006 – August 2007

16

http://www.identityalert.ucla.edu/

Gwen’s website slides here

17

http://www.identityalert.ucla.edu/what_you_can_do.htm

Gwen’s website slides here

18

Identity Alert Web Statistics:December 2006 – September 2007 (and 1/07-9/07)

19

Need for Escalation Path

Call center serves specific role:

Validation, resource referral and data collection

BUT…Callers are frightened, frustrated, angry, panicked, indignant, hurt and

• Need to know more details• Need to speak with a UCLA representative who can

respond knowledgeably, accurately and honestly• Need empathy• Need reassurance and assistance regarding next steps

20

Individual Relations

The largest group Felt violated, anxious Wanted a live person

Answers Reassurance Clarification Empathy

Smaller group Information & answers

2% angered and distraught Demanded to speak UCLA official 600 individual calls

21

“Angry, Irate, Distraught”:Examples of Escalation Call Questions

“How did UCLA let this happen?”

“The last letter I received from UCLA was a rejection letter, and now I get this. Why was I in your database?”

“I just got a letter! Does that mean my identity has been stolen?”

“Who was fired? I want to know who’s responsible for this!”

“This is tremendously upsetting and it’s time-consuming to fix. How is UCLA going to make this right for me?”

“My child got this letter, and he was killed last year. What should I do?”

22

Post Notification Chart

Week 4 Week 5 Week 6 Week 7

800 K

Notification Decision

Notification Process

NotificationEffort

Notification#

Decision toContact 28,600

Compliance

Reviews

23

Follow-up Letter

Personalized

24

Breach Aftermath

Policy and compliance reviews - no compliance issues UC Office of General Counsel State Attorney General UC Board of Regents

SSN policies - no compliance issues Sparked broader initiatives at state and federal levels on use of SNNs State representative and judiciary FTC

Notification laws - Senator Feinstein

Constituency relations Relations with university generally retained No identity theft directly attributable

25

Reducing Retention of Personal Data

Every SSN had a requirement• Financial Aid reporting• Federal Tax Relief Act tuition tax credit• Test scores• National Student Clearinghouse• IRS & EDD• Identity Matching

26

UC-wide Information Security

Policy development and communication: - UC Electronic Information Security Policy

- Stewardship of Electronic Information Resources Compliance strategies:

(e.g. HIPAA, California Security Breach legislation, Payment Card Industry data security, security rider for vendor contracts)

Shared resources: (E.g. UC Security web site; security software & professional services agreements; UC security experts work group)

Information collection and dissemination:

- Tracking security breaches and sharing information - Raising awareness of the importance of information security

27

Lessons Learned

Independent and objective panel for deliberations about whom to notify

Provisions for confidentialityEnsure the call center and web site are

ready when notification beginsSpend time setting up the call centerNotify through different channelsOnly solid information will cut

28

In the end it’s personal

Notify if YOU would want to be notified

Notify as YOU would want to be notified

Sincerity Drives the Day