UC Davis Security Breach

[wildfocus]

---

Members do not see this ad.

Did anyone else get this letter from UC Davis? I just don't have time to deal with this!! BLAHHH 😡


Dear Applicant,

School of Veterinary Medicine

I’m sorry to be sending you the attached letter regarding a computer security breach that involves your personal information included in your application to the School of Veterinary Medicine at UC Davis. Please take the time to read this letter, visit the web sites which offer additional information and references, and take the suggested steps to protect yourself and prevent your information from being misused.

Sincerely,
Bennie I. Osburn

 

[QTkitty]

I got this too! What a load of bull!! I withdrew my app in February... why do they still have my app on file? I don't even know what to do with this. RIDICULOUS!!!!😡

 

[rexosaurus]

Yes, unfortunately, I too got this letter! Grrrrrr! 😡

 

[Serendipity4]

Yep, me too! I've already been on the phone with the bank, discussing whether or not to put fraud alerts on my accounts... And signing up for a stupid fraud alert thing through my bank (which I'm sure I won't think is so stupid if it actually does catch something)... Speaking of fraud alert stuff, you know the part where they said they were paying for a fraud alert system for us for a year? They sent us to the website "for more information," which I went to, but all I could find was them, again, saying they're going to pay for that. There wasn't, however, any information on how to sign up for it, etc. Did anyone find anything more than I did?

I'm not gonna lie, I considered for a short time just ignoring the E-mail and not doing anything about this. Taking my chances, watching my credit card that I've got, etc. But my sister was the victim of identity theft a couple years ago and it was NOT fun. *sigh* Free credit reports, here I come!

 

[wivet2011]

How'd that happen? Hope everything turns out ok for you guys.

 

[sdb9]

They sent us to the website "for more information," which I went to, but all I could find was them, again, saying they're going to pay for that. There wasn't, however, any information on how to sign up for it, etc. Did anyone find anything more than I did?

I had the same experience! Is more information to follow?

 

[soxbox]

I had the same experience! Is more information to follow?

I really hope there is more to follow. This is such crap... If there is not an update to that website by tomorrow with more info, I am calling and will not stop calling until I get more information...

damn... and to think all i got was an interview followed by a big fat rejection and now identity thievery... thanks a lot UCD!!

final thought... who would target vet students??? most of us are poor and we will just get poorer over the next few years... ugh!!!!

 

[kate_g]

I've got many of the same questions as expressed above, and I'm going to send an e-mail to the dean's office with a list of questions. I'm gonna post the questions and the answers I get to save everyone the trouble of asking/answering the same questions over and over. If you want to add any questions that you think others would also want the answers to, you can PM me and I'll add them to the list. I'll wait until tomorrow afternoon (Pacific time) to send the e-mail, so lemme know before then.

Questions I plan on asking:
- When did the attack actually occur? (The letter says it was *discovered* on June 15th. If someone has just opened an account in my name, it won't show up on my credit report for another month or so. So I'd be wasting my one free annual credit report if I ordered it now. On the other hand, if the attack was several months ago, I want to check credit reports as soon as possible.)
- How do we sign up for this credit monitoring service? Will they enroll us automatically, and if so, what contact information will they give the company? What is the name of the company, and should we expect to be contacted by phone, e-mail, or regular mail? Will we receive some kind of baseline report, or only be notified if they detect something fishy?
- Will there be more information to follow, and how will you contact us with that information - especially those applicants who are not actually in the entering class? (Good question sdb9 and soxbox.)

 

[ShelterGirl]

Thanks kate_g for pulling together the questions.

So nice to have insult (personal data compromised) added to injury (rejection) 😡😡

My questions are - do they know whose data was compromised, or was it every applicant's? If they know that some people's data was breached for sure, will they be letting them know separately? (I also wanna know how to sign up for the free monitoring thing they mentioned!)

 

[kate_g]

do they know whose data was compromised, or was it every applicant's?

My *guess* is that all they know is that somebody got access to the database that contained this year's applicants. So everyone's data were "compromised," but they can't say for sure whether anyone's data were actually taken. (What I'm thinking is that trying to hack into university computers has always been a favorite pastime of computer science students. They're not after anything in particular, and wouldn't know where to sell private data if they ever got it 'cause they're nerds and not criminals. The game is just to prove you can get in...)

Anyway, I agree it would be good to know for sure; I'll add that to the list.

Jeez... Now that I'm thinking about it... I wonder if they checked to see whether any database fields were *changed*. I'm envisioning some long-shot applicant getting her computer-geek boyfriend to hack in and change the "accepted" field from "no" to "yes"...

 

[PAThbrd]

Jeez... Now that I'm thinking about it... I wonder if they checked to see whether any database fields were *changed*. I'm envisioning some long-shot applicant getting her computer-geek boyfriend to hack in and change the "accepted" field from "no" to "yes"...

hehe

I had the same thing with Sacred Heart College about a year ago. I have no idea how they got my info as I didnt even apply there or ever even request info or anything like that when i was looking at undergrad schools. Look at the bright side... when you put a fraud alert on your credit file, you get free credit reports from the three big credit bureaus and you stop getting all of the pre-approved credit card mail!

 

[4theanimals]

Add me to the list. And like QTKitty I pulled my app early in the process. What a crock. Anyway, it's very easy to put a fraud alert in place (and it should be free). Here is info to contact TransUnion's Fraud department. You call them and they notify the other two credit bureaus. 800-680-7289. Only takes a couple of minutes. BUT that doesn't necessarily mean anything. Not everyone will pay attention to it. So, I too would be very interested in the supposed years monitoring they mentioned. As Kate_g mentioned you get one free credit report a year. I normally run my report once a year to monitor so I've already used my free report for the year. And I love the idea that someone got their geek boyfriend to hack in. 😛

 

[CookieBear]

First, I propose that it's a guy getting his geek girlfriend to hack in 😛

Second, in case anyone has a WAMU credit card, I do know that they offer your credit profile on their website as a free service, automatically, with your FICO score and other things. It MAY help in a case like this, if they give more details, etc. on that screen. (This free service doesn't negatively affect you at all; I asked WAMU at one point, because I was concerned about that).

Third, I didn't apply to Davis (don't they only take 0.02 non-residents? 🙄) ... so I probably shouldn't even be attempting to but-in (or is that "butt in") on this thread...!

Fourth: Sorry you folks are having to deal with this. That totally sucks.

 

[RubyJoe]

I was about to post this on the Davis class of 2011 yahoo group as well... I've got many of the same questions as expressed above, and I'm going to send an e-mail to the dean's office with a list of questions. I'm gonna post the questions and the answers I get on the yahoo group to save everyone the trouble of asking/answering the same questions over and over. If you want to add any questions that you think others would also want the answers to, you can PM me and I'll add them to the list. I'll wait until tomorrow afternoon (Pacific time) to send the e-mail, so lemme know before then.

Questions I plan on asking:
- When did the attack actually occur? (The letter says it was *discovered* on June 15th. If someone has just opened an account in my name, it won't show up on my credit report for another month or so. So I'd be wasting my one free annual credit report if I ordered it now. On the other hand, if the attack was several months ago, I want to check credit reports as soon as possible.)
- How do we sign up for this credit monitoring service? Will they enroll us automatically, and if so, what contact information will they give the company? What is the name of the company, and should we expect to be contacted by phone, e-mail, or regular mail? Will we receive some kind of baseline report, or only be notified if they detect something fishy?
- Will there be more information to follow, and how will you contact us with that information - especially those applicants who are not actually in the entering class? (Good question sdb9 and soxbox.)

Thanks for starting the list of questions!

I would also like to know whether or not they have filed this complaint with the city or county police? In their letter it stated that the the university police were the only authority involved. Legally, how much power is granted to the university police? At the university I went to they did not have much authority at all, which makes me wonder how thorough an investigation is being conducted.

 

[kate_g]

Legally, how much power is granted to the university police? At the university I went to they did not have much authority at all

Good questions, I put them on the list.

 

[ShelterGirl]

Hey everyone,

Looks like they posted more details on their website, particularly about when/how the breach was discovered and about the free monitoring service:

http://www.vetmed.ucdavis.edu/computer_security/default.htm


Here's the press release, if you're interested:

http://www.news.ucdavis.edu/search/news_detail.lasso?id=8225

 

[kate_g]

Magically, the two questions I originally posted here and on the 2011 yahoo group have already been answered on the web page!

How do we get access to the credit monitoring service?
We are currently discussing a service contract with the credit monitoring agencies, and do not have any information on this yet. We plan to finalize this over the course of the next two weeks, and we will have information on the website at that time. The university cannot sign individuals up for this service, but we will provide information on how you can sign up, and the university will pay for the service.

We will send out an e-mail to let you know when that service is available.

Will there be any more information to follow?
We do not expect any more information to follow, other than the information on access to the credit monitoring service discussed above.

RubyJoe, it sounds from the press release like the campus police are working with a "task force" with broader authority:

A criminal investigation into the apparent hacking and misuse of computerized veterinary medical school admissions records has been launched by the University of California, Davis, Police Department, in cooperation with the Sacramento Valley High Tech Crimes Task Force.

 

[soxbox]

So from I have gathered from reading the press release is that our information was actually used fraudulently? Is that what you guys understood from that?
I wish they would have been more clear on that... I want to know how it was fraudulently used... like was the list of all of our info sold? or hopefully something more benign 🙁

Does anyone know how much placing a fraud alert affects me actually applying for credit and such? Is it a huge pain in the ass for me to have to get around? I know over the next few months I will be applying for some new credit and since I am moving I am not sure where or how my credit might need to be accessed...

oh yeah... and I tried calling that number.. useless. all i could get was a voicemail. my fingers are crossed that I actually get a call back 🙂

 

[kate_g]

So from I have gathered from reading the press release is that our information was actually used fraudulently? Is that what you guys understood from that?

I believe what they were referring to was a problem that some students in the entering class had - when they got their student ID number and went to set up a computing account (Davis e-mail address, access to finaid, registration, etc.) they got an error saying an account had already been set up in their name! So apparently whoever got access to the database then messed around with some student's accounts.

 

[soxbox]

I believe what they were referring to was a problem that some students in the entering class had - when they got their student ID number and went to set up a computing account (Davis e-mail address, access to finaid, registration, etc.) they got an error saying an account had already been set up in their name! So apparently whoever got access to the database then messed around with some student's accounts.

ah... ok... i feel a bit better now 🙂 i also ran my credit report .. and was very sad.. not because anything fraudulent had occurred... but I saw my total debt (not counting any of my soon to be vet school debt)

I did get through to that number finally and I think the woman who answered (it must have been a day from hell for her) was instructed to basically not say anything. Her only answer to me was, "it was in the email" ... she said that no matter what I asked... so basically folks, its in the email 🙂

 

[kate_g]

OK, so I e-mailed the dean's office. Here's the list of questions, and their answers (as I mentioned above, some of the questions - how do we sign up for the credit reporting, will they post more information, and is anyone other than the UCD police dept. involved - were answered on the updated web page and in the press release).

Q1. When did the security breach actually occur?

We do not know when the security breach first occurred. When you place a fraud alert you will receive a free copy of credit reports so that you can determine if there have been any problems thus far. Going forward you can utilize the credit monitoring service, and you still have access to one free credit report per year.

Q2. Do you have a way of knowing which (and whose) data were actually taken, or only that the hacker gained access to the entire database?

We know that the hacker had access to the entire database containing names, birth dates and social security numbers. He or she used the data of all 2007 applicants to attempt to set up student accounts, with very limited success. That is all we know.

Q3. Did that database contain our entire VMCAS records?

The VMCAS record that was sent to UC Davis was on the database. It appears from what has been uncovered so far that the unauthorized person queried only names, birth dates and social security numbers.

Q4. Did the database contain any information that entering students supplied to other University offices, such as our Statement of Legal Residency, FAFSA, or medical documentation?

UC Davis has no FAFSA information in our databases or medical
information.

Q5. Do you have any leads or developemnts? (Of course you can't provide details that might compromise the investigation, but everyone is curious to know whodunit.) Was the SVM targeted specifically, or was yours just the first database that yielded to the attack?

We have no information that we can share on whodunit. The attack that we know of was directed to the SVM database. The university computing systems are constantly a target of probes from hackers--literally 24 hours a day, every day. The university is not now aware of any other successful attack on its computing systems.

We do appreciate how worried you are, but unfortunately we cannot give
you details about an open criminal investigation. In fact, the police
will not share with us any information they may or may not have
discovered with respect to this investigation. If we are given any
information that we are free to disclose to you (unlikely), we will do
so immediately.

 

[BlueNewfie]

Does anyone know how placing a fraud alert affects applying for student loans? I'm in the middle of applying for alternative loans, and I don't want anything to hinder that process.

This website (http://www.fightidentitytheft.com/flag.html) mentions to be cautious about placing a fraud alert if you're about to take out a home loan but nothing about other loans.

 

[kate_g]

I found it really difficult to get an actual person on the phone at any of the credit reporting agencies - one of them (equifax?) actually says right on their web page that you can't talk to a real person unless you buy something from them - but that's what I'd suggest trying to do, and ask them to clarify what will happen if you apply for a private educational loan.

I do know that the point of the fraud alert is that the lender/creditor is supposed to call you to confirm any application for credit in your name. So make absolutely sure, when you put the fraud alert on, to give a cell phone number or someplace where you'll always be reachable. If they can't reach you when they try to process your application, then it will be delayed at the very least and possibly denied. AND, the lender is not actually under any obligation to call. I get the impression that they could just ignore the fraud alert, or they could deny the application without trying to contact you.

I was about to say that it would be a good idea to tell the lender up front that you were affected by a security breach at a school and as a consequence you've put a fraud alert on your report, to try to head off any confusion. BUT... If I had stolen somebody's personal info and was going to take out a private educational loan in their name, I think I might say "hey just so you know, I placed this fraud alert, so don't worry if that comes up..."

 

[clawsbeatskin]

kate_g, have you tried http://gethuman.com/us/ ?

It's a cheat sheet of codes you can enter in your phone to get a real person when you call. I looked, and Equifax is on there! I've used it for other companies and it's great. 🙂

 

[squeegee]

i also applied to UCD and my bf suggested a monitoring service that he uses through american express, it's called credit secure and for a monthly fee ($11.99) they monitor your credit and inform you if anyone does anything like request a credit report or try to look into your record. I believe you also get quarterly credit reports mailed to you so you can keep an eye on things. I'm not sure if UCD will reimburse for something like this or whether you have to be an american express cardholder to get the service (i am) but i feel like 12 bucks a month is a small price to pay in case something actually does happen. The credit secure guy told me on the phone that while a fraud alert is supposed to prompt lenders and banks and such to be a little stricter on questioning people ("you") if you wanted a loan or something, they don't always follow the alert. Plus, what if the questions have to do with parents' names or addresses or something? The VMCAS had all that information! 🙁

if anyone is interested in checking it out: www.americanexpress.com/newcreditsecure

 

[kate_g]

Davis is supposed to be providing us with a credit monitoring service (when I asked about it they were still negotiating a deal, they'll e-mail us when it's ready and we can sign up). It will be free, which is less than $12/month. 🙂 It's only for a year, but you could always sign up for the AmEx thing after the free year from Davis is up, if you want to keep an eye on things.

And as far as VMCAS having parents' info... The reply I got from the dean's office (see a couple posts above) says that as far as they can tell, only the name, birthdate, and SSN fields were queried. The person breaking in probably wasn't looking for vet students in particular, so they didn't know the VMCAS info was there or what was in it.

Clawsbeatskin, I had heard of that website before, and then of course promptly forgot it. I think it's awesome, though. I love beating the system... 😀

 

[Serendipity4]

So it seems they finally got us our credit monitoring service. Did everyone else sign up?

 

[sofficat]

yeah, i signed up today.

 

[kate_g]

Y'know, I was just thinking about this after getting that e-mail... Davis' reaction to this thing has been so public - press release, big red link to the "security breach information page" on the main SVM web page... So I figure we can assume that the person who stole the info has read all that, right? So they know that the free credit monitoring, which everyone will sign up for, lasts for a year. So they're not going to try to use our info in the next year, because they'll be caught. But the chances are pretty good that after a year we'll all feel safe and not pay for continued credit monitoring. So... If I were them, I'd just wait until next September before trying anything. I mean, it's not like my SSN and birthdate are going to change between now and then, right? So they may have to get a real job (or steal somebody else's info) in order to pay the bills for the year, but after that they'd probably have a pretty easy time of it.

This is assuming, of course, that the police never find out who did it, and that the person didn't destroy their copy of the data when they learned they'd been detected, for fear of getting caught.

Gosh, I'm a terrible cynic.

(I guess I hope that whoever stole the info hasn't also found this forum, because I'd hate to think they *hadn't* thought of the above idea until they read my post...)

 

[rexosaurus]

Kate_g: you think you're a cynic?! my thoughts were that, if this person is smart, or VERY patient, they will wait until we are are all established veterinarians (assuming they know we are all prevets and that we all become successful vets) and in about 20 years use our info. When, of course, we are all laughing about that *silly little scare* back in our pre-vet days! ha! that would really suck, but that's how i think! oh geez, please let this not bite me in the a** 😀

 

[jeeney]

i signed up yesterday