Computer hackers struck the University of California at Berkeley between October and April, potentially accessing personal information of 160,000 students, alumni and others, university officials said Friday.
The university learned of the intrusion into computers at the campus' health services center, which took place between Oct. 9, 2008, and April 9 of this year, on April 21 and shut down the exposed database systems and alerted police and the FBI.
The university began sending e-mails and letters today to more than 160,000 people, including current and former UC Berkeley students, as well as their parents and spouses if they were linked to insurance coverage, who had University Health Services health care coverage or received services.
Notifications are also being sent to about 3,400 Mills College students who either received or were eligible for health care at UC Berkeley.
The compromised data for UC Berkeley students, alumni and their parents date back to 1999, and those for Mills College students date back to 2001.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," UC Berkeley Associate Vice Chancellor Shelton Waggener said in a prepared statement.
"The campus takes our responsibility as data stewards very seriously," he said, adding that the university was working with law enforcement and computer security experts to identify and fix the causes of the breach.
According to the university, the hacked databases contained Social Security numbers, health insurance information and non-treatment medical information such as immunization records and the names of doctors that may have been seen for treatment or diagnoses.
A separate system containing University Health Services medical records with patients' diagnoses, treatments and therapies was not accessed, according to university officials.
The hacking was discovered by campus computer administrators performing routine maintenance who found messages left by the hackers.
"Evidence uncovered to date suggests that the attack was launched by hackers overseas," the university said. The attackers came through a public Web site and then bypassed secured databases stored on the same server.
The university is recommending those whose names and data were stolen to place a fraud alert on their credit reporting accounts.
The school has set up a Web site to provide further information for potential victims and has also established a 24-hour data theft hot line, 888-729-3301, to answer questions.