UC Berkeley officials are in the process of notifying approximately 1,600 individuals that their personal information may have been compromised in a data breach of the campus’s real estate division.
The breach allowed unauthorized access to servers that were used to support a number of UC Berkeley real estate division programs. The campus estimates that about 1,300 Social Security numbers and 300 credit card numbers were among the data accessed. The data span from the early 1990s to May of this year.
According to campus spokesperson Janet Gilmore, the campus believes that the username and password of an employee were stolen when the employee attended to work-related business while on vacation.
Among the impacted individuals are current and former campus employees, as well as individuals with contracts with the real estate division. The breach was limited to the real estate division and did not involve central campus files, such as those for students and alumni, Gilmore said in an email.
After the breach was discovered in September, the campus reviewed the data to identify individuals potentially affected and brought in an outside firm to discover any personally identifiable information on the servers. These data review processes ended last week, and campus officials began sending notification letters to affected individuals Friday.
Although there is no evidence that the data were downloaded and used, impacted individuals are being notified in accordance with California law. UC Berkeley has offered a free one-year membership for credit monitoring and protection services to those affected.
The campus discovered a larger-scale data theft in 2008, in which personal and health information of 160,000 UC Berkeley students and alumni were stolen from the campus’s health services center. The breach also affected parents, spouses and students from Mills College who used UC Berkeley’s health services.
The most recent security breach has cost the campus approximately $150,000 to date, although full costs have yet to be calculated.