University officials could not be reached immediately for further comment.

That the breach remained undetected for more than a year is troubling but not entirely surprising, especially in a university environment, said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. There is still a widely held misperception that monitoring and auditing databases for security breaches imposes a "ridiculous penalty on performance," he said. As a result, many organizations fail to keep an eye on their databases and miss breaches of the sort that happened at UCLA, he said.

"I don't think the performance argument carries a lot of weight, but it is an argument that people often use" for defending their decision not to monitor database activity, Jaquith said.

Another problem with database activity auditing is that it can generate huge amounts of data, said Ron Ben-Natan, chief technology officer at Guardium Inc., a vendor of database security products. So people tend to tune it down and use it only to detect certain very specific types of activities, such as privilege escalation, he said. In the process, they could miss other potential security violations, he noted.

The UCLA breach is the largest ever reported by a U.S university, but it is one of many reported by higher-education institutions over the past few years. More than a quarter of the 400 or so data breaches listed on the Privacy Rights Clearinghouse Web site since the ChoicePoint compromise of February 2005 involve a university. The most recent breach listed on the privacy advocacy group's site occurred Dec. 9, when Virginia Commonwealth University in Richmond accidentally sent personal information on 561 students as attachments in an e-mail to 195 students informing them of their eligibility for scholarships.