On Saturday, I had noted a breach involving the UCLA Department of Psychology and had tried to alert the department to the breach. They never responded to my notification. Today, the student paper reports the breach. Their report suggests that the university may already have been aware of it before I tried to notify them. That’s good, and it’s good that they are notifying the 26 applicants, although it’s somewhat disturbing that a hack and data dump of applicants’ information is not considered a breach of security. Even if Social Security numbers were not involved, the database was hacked. The incident has duly been added to DataLossDB.org, despite UCLA’s view or their state’s view as to whether this was a breach of security or not.
James Barragan of The Daily Bruin reports, in part:
The incident occurred Friday and university police notified officials from UCLA Information Technology by 9:35 p.m. that night. Although the release of this information is concerning, it is not a breach of security, said Ross Bollens, director of security at UCLA IT.
By law, there are specific requirements about what determines a breach of security and none of the information released by the hacker meets the criteria, Bollens said.
The applicants whose information was released will be notified of the incident, Bollens said.
Bollens seems to minimize the potential for passwords being decrypted:
The information on the release, however, only contains the hash of passwords – a sequence of letters and numbers that cannot be used until it is converted into an equation, which leads to the password. For that reason, the hashes are not of much use to third-party members, Bollens said.
Yeah, it’s not like there are any freely available programs out there to help decrypt them. Oh, wait…
Read more on The Daily Bruin.