A hacking program that records the keystrokes of computer users was found on three machines in the Student Health Center at University of California, Irvine. They had been there for six weeks and may have captured the personal data of approximately 1,800 students and 23 non-students.
PHIprivacy.net reported the breach on May 14. A letter (pdf) sent to potentially affected parties by center Executive Director J. Patrick Haines said the malware was active between February 14 and March 27 and transmitted the data to unauthorized servers outside the UC network.
Information may have included names, unencrypted medical information, student ID numbers, non-student patient ID numbers, mailing addresses, telephone numbers, amounts paid for health center services, and bank and check information for aforementioned expenditures. Medical information may have included insurance codes and numbers and diagnoses.
No actual medical records were accessed; just the keystrokes of typists doing things like filling out medical and insurance forms.
The letter said, “We have no indication that the data have been fraudulently used.”
What they mean is no one had notified the school that they had been ripped off as a result of the breach. Yet. Haines said the school was notified of the breach on March 27 by the California Information Security Office in the California Department of Technology (CDT). There was no explanation how they became involved.
Keystroke logging has many “legitimate” uses, like allowing companies to legally spy on their employees at work and track their output on a minute-to-minute business. There are numerous off-the-shelf programs available that can capture keystrokes in many different ways.
Snoops can download a free one from CNET that gets four and a half stars. It is billed as “the Number One free monitoring software.”
“You can control online conversations and activity of your children, spouse, or your employees. And don't worry: this software is absolutely invisible for everyone. Only you will know a special hot key to show/hide the program.”
UC Irvine did not say what kind of keylogger was used. It was also unclear whether employee system login credentials may have been stolen, which would expand the scope of the problem significantly.