UC a Target of Nationwide Cyber Attack
Updated May 10, 2021
On December 24, 2020, UC’s Accellion FTA was the target of an international attack, where perpetrators exploited a vulnerability in the application. Over 100 organizations were similarly attacked, including universities, government agencies and private companies. In connection with the attack, certain UC data was accessed without authorization. We identified on March 29, 2021 that some of this data was posted on the Internet.
When the University discovered the issue, we took the system offline and patched the Accellion vulnerability. We are in the process of transitioning to a more secure solution. The University is cooperating with the FBI and working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted and to whom the data belongs.
There is no evidence that other University systems were impacted.
To inform and protect the UC member community, the University notified the community via email, hosted interactive workshops at several campuses and posted information about the event and how individuals can protect themselves to its websites. The University also arranged for free credit monitoring and identity theft protection services for the entire University community through Experian IdentityWorks.
In 48 hours, individuals will receive an email from Experian on behalf of the University. It will remind individuals about the available services and provide a unique activation code that can be used to access the same services. The prior universal code will be retired. The University has established a dedicated call center to answer questions regarding the event and these services.
What Information Was Involved?
While the investigation is ongoing, evidence shows that an unauthorized third party gained access to files that contain personal information relating to members of the UC community, including employees (current and former) and their dependents, retirees and beneficiaries, and current students, as well as other individuals who participated in UC programs.
The impacted information may include full names, addresses, telephone numbers, Social Security numbers, driver’s license information, passport information, financial information including bank routing and account numbers, health and related benefit information, disability information and birthdates, as well as other personal information.
What UCOP is Doing
In addition to notifying individuals and providing free credit monitoring, the University is working to identify and contact the community members whose personal information was impacted. These investigations take time, and we are working deliberately, while taking care to provide accurate information as quickly as we can. Within the next 45 – 60 days, we expect to send, through Experian, appropriate individual notifications to those people whose personal information was impacted, where current contact details are available to the University.
We are also separately notifying individuals who started or completed applications for the 2021-22 school year whose contact information (name, email address and phone number) was impacted. Their notification will contain information pertinent to those individuals.
As we transition to a new file transfer system with enhanced security controls, we are deploying additional system monitoring broadly throughout our network, conducting a security health check of certain systems and enhancing security controls, processes and procedures. We are also reviewing and updating our security policies, procedures and controls.
What You Can Do
If you have already enrolled in the free credit monitoring and identity theft protection services with Experian, you do not need to re-enroll. For UC community members that have not registered for these services, information about how to register will be contained in the update email being sent in the next 48 hours. Many UC community members have signed up for this service and we encourage anyone who hasn’t enrolled to sign up now.
We request that UC community members remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police.
Additionally, it is also always a good idea to be alert for “phishing” emails or phone calls requesting sensitive information, such as passwords, Social Security numbers or financial account information. These requests often come from a sender pretending to be a company you do business with or a person you know. We also recommend that you use multifactor authentication for your online accounts when offered. We have also established a dedicated call center available toll free in the U.S. at (866) 904-6220 from 6:00AM to 8:00PM PT on Monday through Friday and from 8:00AM to 5:00PM PT on Saturday and Sunday. Members of the UC community may also send questions to firstname.lastname@example.org.
**PLEASE NOTE: If you have already enrolled in the free credit monitoring and identity theft protection services with Experian, you do not need to re-enroll.
Learn more from the UCOP Substitute Notice of Data Breach here.
UCOP’s investigation includes a review of the files they believe may have been copied and transferred as part of this attack. Upon completion of their review, they should be able to better assess the data and individuals impacted. Once they can identify affected individuals, they will notify them and provide information regarding additional next steps.
UC believes the person(s) behind this attack are sending threatening mass emails to members of the UC community in an attempt to scare people into giving them money. The message states: “Your personal data has been stolen and will be published.”
Anyone receiving this message should either forward it to your local information security office or simply delete it.
We remind all members of the UC community to not click on links or open attachments unless you know and trust the sender.
The University of California regards the privacy of all its community members with the utmost seriousness. UCOP will update the UC community as they are able to disclose additional information.
To help you protect your identity, UC is offering the entire UC community complimentary credit monitoring and identity theft protection for one year through Experian IdentityWorks. To sign up for this service, please visit this page for enrollment codes and links to sign up adults and minors that may be affected. At this link, you'll also find a phone-based enrollment help service.
- Credit monitoring: Monitors your Experian file for indicators of fraud.
- Internet surveillance: Technology searches the web, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information on the dark web.
- Identity restoration: Specialists are immediately available to help you address credit and non-credit related fraud.
- Experian IdentityWorks ExtendCARE: Receive the same high level of identity restoration support even after your Experian IdentityWorks membership has expired.
- $1 Million Identity Theft Insurance: Provides coverage for certain costs and unauthorized electronic fund transfers.
- Lost wallet: Provides assistance with canceling/replacing lost or stolen credit, debit, and medical cards.
- Child monitoring: For 10 children up to 18 years old, internet surveillance and monitoring to determine whether enrolled minors in your household have an Experian credit report are available. Also included are identity restoration and up to $1M Identity Theft Insurance.
If you have questions about the data that Experian collects from you in order to protect your identity, please visit this page for information about Experian security measures.
In light of the cyber attack on the University of California, you may wish to take the following steps to protect your credit information:
- Place a fraud alert with one of the three nationwide credit bureaus: Equifax | Transunion | Experian
- Place a security freeze on your credit report by making a request to the three credit bureaus.
- Consider taking additional identity theft measures described by the Federal Trade Commission.
The cybersecurity attacks recently directed against UC and other universities, government agencies and private companies throughout the country are a frightening reminder of the importance of doing everything possible to protect ourselves online.
As UC works to contain and investigate these attacks, it’s more important than ever to follow best practices for cybersecurity whether you’re at home or in the office. Here are five ways to protect your data:
- Think before you click
Criminals are experts at making phishing emails as convincing as possible. Even if an email looks like it’s from someone you know, verify unexpected attachments or requests for private information (yours or anyone else’s). Go to web pages by a path you know is legitimate instead of clicking on a link in a message. Remember: UC, including UCPath and UC Retirement At Your Service (UCRAYS), will never ask you for personal or user account information by email. Read more about how to spot a phishing attack on the UC Merced OIT Phishing page.
- Protect your passwords
Your old tricks for setting and storing your passwords may no longer be up to the task. Consider a secure password service to generate and store passwords for your work and personal accounts. And always remember to:
- Make passwords long and strong
- Never reveal your password to anyone
- Use different passwords for different accounts, and for work and non-work activities
- Click “no” when websites or apps ask to remember your password
- Use strong authentication where possible, such as multi-factor authentication (MFA), fingerprints and tokens.
- Protect your devices
For many of us, our homes are now our offices. Keep your devices as secure at home or on the road as you would in the office. Lock your computer screen before leaving it unattended, and take your phone and other portable items with you or lock them up. Password protect all of your devices, using the strongest authentication available. It’s also critical to protect your devices with the latest anti-virus and anti-malware protection. Automate software updates and restart your devices regularly to make sure they’re always up to date.
- Protect your files
It’s happened to all of us – our hard drives fail, or our devices get lost or stolen. Make sure important information is stored securely, in a physically separate location from the originals, and test your backups periodically. For critical work files, use storage options that are approved by your UC location and are backed up regularly. Pay special attention to sensitive information you use in your work. Delete sensitive information when you are done with it, following the UC records retention schedule. Better yet, don’t store it in the first place if you don’t need to.
- If it’s suspicious, report it!
Report suspected scams and other suspicious activity to your local information security office. Thank you for doing your part to keep your information — and UC’s — safe and secure.
Read more about good cyber hygiene from OIT here.