Assemblymember Loni Hancock is criticizing the state response to a recent UC Berkeley computer hacking incident as too little and too late.
Hancock is calling upon the California Department of Social Services (CDSS) to “develop a stronger policy that both prevents the unauthorized access to personal information and requires departments to respond quickly if security breaches occur.”
In addition, Hancock wants the department to do a personal mailing to the more than half a million citizens whose personal identity information may have been stolen in the hacking.
In the meantime, CDSS officials are now refusing to release any more details of the hacking incident, citing an FBI investigation into the matter.
Last month, CDSS issued a statewide media alert in an attempt to notify the citizens whose personal information was stored in the hacked UC computer. At issue are the names, social security numbers, addresses, telephone numbers, and birthdates of some 600,000 In Home Supportive Services (IHSS) program whose information had been uploaded on the UC Berkeley computer by a Connecticut-based researcher. Among those who may be at risk are seniors and disabled persons who receive regular in-home visits by IHSS workers.
The chain of events began Aug. 1 when a hacker broke into a UC Berkeley computer containing the IHSS information. The data was being used on the UC computer by Connecticut College Associate Professor of Economics Candace Howes, who was conducting a state-approved research project on the In Home Supportive Services program.
Carlos Ramos, state assistant secretary of health and human services, told reporters earlier that UC Berkeley officials became aware of the hacking on Aug. 30, but did not report the matter to the CDSS until Sept. 21. Ramos also said that the personal identity information should have been removed from the database before it was loaded onto the UC computer.
CDSS has said that the investigation “has not determined whether any personal data was acquired” during the hacking.
On Oct. 19, a month after being informed by UC Berkeley, CDSS issued a “media advisory,” sending out press releases and posting information on their website about the computer break-in. The alert included guidelines for IHSS workers and clients on how to contact credit reporting agencies to make sure they had not been the victims of identity theft, and included a hotline number for affected citizens to call in to receive more information and instructions.
Assemblymember Hancock says that is not enough.
“We are asking for individual notification of both clients and workers,” said Hancock Chief of Staff Hans Hemann. “CDSS has informed us that the next step they’re going to take will be to attach something to the pay stubs of IHSS workers about the hacking, but we still hold that they need to go beyond that. They need to provide something to the workers that distinguishes itself from any other mailing that the workers receive, something that’s very distinct, perhaps on different colored paper.”
But Hemann says it is the home services clients about whom Hancock’s office is most worried, “since they have less chance for interaction with the state agencies or county agencies.” Hemann identified clients, rather than workers, as the largest number of individuals who were potentially affected.
In addition, Hemann said Hancock was “concerned” about the two and a half months it took from the time the security breach was detected until the time information about the hacking was released to the public as well as “disappointed” by the number of calls received by the CDSS hacking hotline.
“They really geared up for it, manning four extra lines, but the response was small,” he said.
CDSS Deputy Director for Public Affairs Shirley Washington would not confirm the number of calls received, saying she did not have that information on hand and that the department “may not even be tracking” the number of calls.
Hemann said that Hancock and a group of state legislators have met with CDSS officials to try to resolve the problems raised by the hacking. Hancock has also scheduled a meeting with UC Berkeley officials next week about the matter.
“All of the legislators involved in this effort believe that the research is important, and we want it continued,” Hemann said. “It’s just that there was a breakdown somewhere, and we’re trying to get to the bottom of that.”
CDSS Deputy Director for Public Affairs Shirley Washington that her office is “under specific instructions” not to release any more information while the FBI investigation is pending.
Asked for details of the agreement between CDSS and the researcher concerning the clients’ and workers’ personal data, Washington said that she did not have a copy of the agreement on hand.
“It’s not that black and white in terms of what was in the agreement,” she said. “Because it’s being investigated, it’s kind of hard to define at this point.”
Asked if the terms of the CDSS/researcher agreement were being investigated, Washington said, “Everything’s under investigation. Everything.”