Identity Alert:
Frequently Asked Questions
Additional Credit Protection Options
Notification Letter (Dec.12, 2006)
(text only version)
Q: What happened?
A: UCLA computer administrators discovered that a restricted campus database containing personal information had been illegally accessed. Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, a sophisticated hacker exploited a previously undetected software flaw and bypassed security measures. A problem was detected Nov. 21 when computer security technicians noticed an exceptionally high volume of suspicious database queries. An emergency investigation found that the database had been fraudulently accessed since October 2005. UCLA’s ongoing investigation indicates that the hacker sought and obtained some Social Security numbers.
Q: How many and what kinds of records were involved?
A: The illegally accessed database contains the names of approximately 800,000 individuals and includes certain personal information about UCLA’s current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. Also included are approximately 3,200 current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing. The database includes names, Social Security numbers, dates of birth, home addresses and contact information. It does not include driver’s license numbers or credit card or banking information.
Q: Does the compromised database contain any information related to University of California employee payroll direct deposits or retirement investments?
A: Information about employee direct deposits and retirement accounts is stored in different locations, which have not been compromised. The only information in the compromised database related to retirement is the amount an employee chooses to deduct from his or her paycheck and invest on a monthly basis. This information is retained for 13 months. We have no evidence that this information was acquired by the computer hacker. The database containing this information, called At Your Service Online, is managed by the University of California Office of the President. To gain access, employees must log on with a user name and a password. Social Security numbers are the default user name login, and employees are encouraged to change their user name to something other than a Social Security number and not to use a Social Security number as a password.
Q: What is UCLA doing about it?
A: State law requires notification when personal data is reasonably believed to have been acquired illegally. UCLA decided to notify all those whose information is in the database, even though its ongoing investigation at this point indicates only that the hackers sought and obtained some of the Social Security numbers. UCLA’s overriding goal is to provide all affected parties with information on steps they can take to help prevent identity theft and fraud. UCLA also immediately blocked access to Social Security numbers and the database and launched a comprehensive review of information security measures, which intensified enhancements that were already in progress. The database that was illegally accessed has been reconstructed and protected. UCLA also notified the FBI, which is conducting it own investigation.
Q: How do I know whether I am in the affected database?
A: If you received notification from UCLA, your name is in the illegally accessed database. All current UCLA students, faculty and staff are in the database. Those who don’t know whether they are in the compromised database should phone the Identity Alert Hotline established by UCLA, at (877) 533-8082. Provide your first and last name to the operator, who will determine whether you are in the compromised database. If your name does not come up, you are not in the compromised database. The operator may need to ask for additional information, such as the month and day of your birth or the last four digits of your Social Security number, in order to distinguish you from others with the same name.
Q: Does this mean I am the victim of identify theft?
A: No. The fact that someone had access to your information doesn’t mean that you are a victim of identity theft or that they intend use the information to commit fraud. The university wanted to let you know about the incident so you can take steps to protect yourself. The best way to protect yourself is to place a fraud alert on your credit files and review your credit reports.
Q: If I have confirmed that I am in the affected database, what should I do?
A: As a precaution, UCLA recommends that you contact one of the three national credit bureaus to place a fraud alert on your consumer credit file and obtain a copy of your personal credit report. Once a credit bureau places a fraud alert on your credit file, the two other credit bureaus will automatically do the same. Each bureau will then send a confirmation letter with instructions on how to order a credit report. The fraud alert and credit reports are free. Be sure to follow up with the credit bureaus and order your credit reports. Here is the contact information for the fraud divisions of the national credit bureaus:
- Equifax: (888) 766-0008 (http://www.equifax.com)
- Experian: (888) 397-3742 (http://www.experian.com)
- TransUnion: (800) 680-7289 (http://www.tuc.com)
Q: What is a fraud alert?
A. Most credit card companies and other creditors won’t issue credit without first checking the applicant’s credit history. A fraud alert tells credit issuers that there is possible fraud associated with the account and gives them a phone number to call before issuing new credit in your name. This is intended to prevent others from fraudulently receiving credit in your name. When you call the credit bureau fraud line, you will be asked for identifying information and will be given an opportunity to enter a phone number for creditors to call. Credit bureaus will send you a confirmation letter which should include instructions on how to order a free credit report. You should then request a credit report. An initial fraud alert lasts 90 days; you may reinstate it after that.
Q: Why can’t I get through to the credit bureau to place my fraud alert?
A: Each of the three bureaus uses an automated telephone system. Each bureau will pass your request for fraud alert to the other bureaus. If you are having difficulty reaching one, try another.
Q: What should I look for in my credit report?
A: In your credit report, be alert for any suspicious activity. Look especially for any accounts you didn’t open and any charges you didn’t make. Look at the inquiries or requests section for names of creditors from whom you haven't requested credit. Look in the personal information section to confirm the accuracy of addresses where you have lived and your Social Security number. Any suspicious activity in these areas may be indications of fraud. Also be on alert for calls from creditors or debt collectors about bills that you don't recognize and for unusual charges on your credit card bills.
Q: What if there’s a problem on my credit report?
A. If you find anything that looks wrong or suspicious or that you don’t understand, call the credit agency at the telephone number listed on your credit report and review the report with a member of the staff. If information in the credit report can’t be explained, you may wish to file a report of suspected identity theft with your local police or sheriff’s department.
Q: What do I do if I am a victim of identity theft?
A: You should immediately report the crime to your local law enforcement agency, contact any creditors involved and notify the credit bureaus. Detailed information is available on the identity theft victim page on the California Office of Privacy Protection Web site, http://www.privacy.ca.gov.
Q: Is there anything else I can do?
A: Those wishing to take an additional step may consider placing a security freeze on their credit file. A security freeze means that your file cannot be shared with potential creditors. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. A security freeze is free to those who have filed a police report of identity theft. If you don’t have a police report, it costs $10 to place a freeze with each credit bureau, a total of $30. The credit bureaus require that freeze requests be made in writing. Additional information is available on the California Office of Privacy Protection Web site, http://www.privacy.ca.gov.
- Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
http://www.equifax.com - Experian Security Freeze
P. O. Box 9554
Allen, TX 75013
http://www.experian.com - Trans Union Security Freeze
P. O. Box 6790
Fullerton, CA 92834
http://www.transunion.com
Q: What is the difference between a fraud alert and a security freeze?
A: A fraud alert is a special message on the credit report that a credit issuer receives when checking a consumer’s credit rating. It tells the credit issuer that there may be fraud involved in the account. Most businesses will not open credit accounts without first checking a consumer’s credit history. A security freeze means that your credit file cannot be seen by potential creditors, insurance companies or employers doing background checks — unless you give your consent.
Q: Will a fraud alert or security freeze prevent me from using my credit cards or getting new ones?
A: A fraud alert won’t stop you from using your existing credit cards or other accounts. It may slow the process of receiving new credit, since the purpose of a fraud alert is to help protect you against an identity thief opening credit accounts in your name. Potential creditors receive a special message alerting them to the possibility of fraud, and they know they should reverify the identity of a person applying for credit. With a security freeze, potential creditors, insurance companies or employers doing background checks are not permitted to see your credit history. Among other things, this likely would prevent you from receiving new credit without your explicit consent.
Q: Will UCLA pay for credit monitoring?
A: By utilizing the free fraud alerts and reviewing free credit reports for suspicious activity, individuals can engage in periodic monitoring of their own credit. For additional information on using free fraud alerts to protect your credit, see Additional Credit Protection Options on this site and the Identity Theft Resource Center http://www.idtheftcenter.org/. While credit bureaus offer fee-based monitoring services, it is up to individual parties to determine whether they wish to pay for such services.
Q: Is it OK to give my Social Security number to the credit bureau fraud line?
A: The credit bureaus ask for your Social Security number and other information in order to identify you and avoid sending your credit report to the wrong person. However, UCLA advises caution if you are contacted by somebody who claims to represent UCLA on this matter and who asks for personal information. UCLA will contact you only with information regarding steps you should take to prevent possible fraud or identity theft, or if you ask us for specific information about this incident; the university will not contact you and ask for your full Social Security number, bank account or other personal information. In the case of a fraud alert, potential creditors will contact you to confirm your identity before issuing new credit in your name.
Q: Should I change my Social Security number?
A: The Social Security Administration very rarely changes a person’s Social Security number. The possibility of fraudulent use of your number probably would not be viewed as justification. Also, there are drawbacks to changing your Social Security number. For example, you would lose your credit history, which could make it difficult to get new credit, continue college, rent an apartment, open a bank account or get health insurance.
Q: Should I close my bank account, cancel my credit cards or change my driver’s license?
A: The illegally accessed database does not include any information about bank accounts, credit card accounts or driver’s licenses.
Q: Will UCLA contact me to ask for personal information because of this event?
A: UCLA will not contact you to ask for personal information such as your Social Security number or credit card or banking information. The university will only contact you to provide suggestions on how to protect against potential identity theft and fraud or, if you request, to provide specific information. In similar circumstances at other institutions, people have reportedly been contacted by individuals fraudulently claiming to represent the university and asking for personal information. UCLA recommends caution if you receive similar phone calls or e-mails.
Q: Didn’t UCLA have a similar incident recently?
A: You may be thinking about an incident in 2004, when a Blood Bank laptop computer was stolen. Fortunately, we have no evidence that identity theft occurred as a result of that theft. There have been many other instances in which leading universities have had their computer security compromised, including cases at USC, the University of Texas, New York University and University of California campuses at Berkeley and San Diego.
Q: What steps is UCLA taking to improve the security of personal information and prevent similar incidents in the future?
A: When suspicious activity was detected, UCLA blocked access to the Social Security numbers and the database and notified the FBI, which has launched an investigation. The database that was compromised was reconstructed and protected. UCLA launched a comprehensive review of all information security measures to accelerate enhancement that were already in progress. In recent years, UCLA has added and strengthened firewalls and intrusion detection systems, encrypted the data flows containing sensitive information, and increased vigilance in identifying threats and securing servers. In addition, access to Social Security numbers has been restricted to only those with a compelling business need, and Social Security numbers have been removed from most computer screens and printed reports. Unfortunately, despite these efforts, one or more hackers were able to exploit a previously undetected flaw in one of UCLA’s systems and illegally access restricted data.
Q: Are there other resources available regarding identity theft?
A: Please see the list of additional resources on this site.
Identity Alert Hotline: (877) 533-8082 Updated:
January 11, 2007