Hackers have gained access to databases at the University of California-Los Angeles (UCLA), making off with the personal information of 800,000 current and former students, employees, and faculty.
The data breach is thought to be the largest of its kind at an American college or university.
The breach first occurred in October 2005 but was not detected until November 2006, when it was blocked, according to a statement by UCLA's acting chancellor Norman Abrams.
The stolen information varies in content, but in many cases includes names, addresses, dates of birth, and Social Security numbers.
Despite the extraordinary duration of the hacker intrusion and the amount of information stolen, Abrams insisted there was no indication that the information had been used for identity theft or fraud as of yet.
He did not say why, in his opinion, hackers would steal the data if they did not intend to use it.
The hackers' attack involved targeting a single specific database using techniques to target Social Security numbers in particular, said UCLA's chief information officer Jim Davis.
The database even contained information on applicants who did not attend UCLA as well as parents of applicants seeking financial aid, going back as far as a decade.
Davis did not explain why the university had so much information and held it for so long.
Universities are increasingly prime targets for data thieves due to the huge amounts of information they amass on their students, often collected and organized by Social Security number.
College students also represent attractive targets for credit card fraud, since they have relatively unblemished credit histories and are swamped with solicitations for credit from the moment they step on campus.
Ohio University formerly held the dubious honor of being "Data Breach Central" after a breach at one of its health centers was revealed to be the latest in a series of intrusions that exposed the personal information of hundreds of thousands of students, faculty, and employees.
The breaches led to the firings of two administrators in Ohio University's IT department, who contested the moves and blamed the university management for failing to implement security procedures they devised to prevent such breaches.
Not long after the Ohio University breach, Sacred Heart University, in Fairfield, Connecticut, was hit with a hack attack. Like UCLA, Sacred Heart had been collecting data on applicants as well as attendees, and even students who filled out information at job fairs and exam testing services.
Last year, San Diego resident Eric McCarty exploited a vulnerability in the University of Southern California's (USC) online application site to gain access to the applicant database. McCarty, a former network administrator, used his expertise to circumvent the database's password protection and copy an undisclosed number of students' Social Security numbers.
McCarty was later arrested and pleaded guilty to a felony charge of unauthorized computer access.