Updated May 10, 2021
On December 24, 2020, UC’s Accellion FTA was the target of an international attack, where perpetrators exploited a vulnerability in the application. Over 100 organizations were similarly attacked, including universities, government agencies and private companies. In connection with the attack, certain UC data was accessed without authorization. We identified on March 29, 2021 that some of this data was posted on the Internet.
When the University discovered the issue, we took the system offline and patched the Accellion vulnerability. We are in the process of transitioning to a more secure solution. The University is cooperating with the FBI and working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted and to whom the data belongs.
There is no evidence that other University systems were impacted.
To inform and protect the UC member community, the University notified the community via email, hosted interactive workshops at several campuses and posted information about the event and how individuals can protect themselves to its websites. The University also arranged for free credit monitoring and identity theft protection services for the entire University community through Experian IdentityWorks.
Learn more from the UCOP Substitute Notice of Data Breach here.
This video produced by UC San Diego provides information on how to to register for credit monitoring and identity theft protection and take other steps to protect yourself. The video is also available in Spanish.
This FAQ addresses what to do if you recieve an alert from Experian IDWorks that some of your information has been found on the web.
For even more information, please click the links below:
- UCOP - Data Security
- UCOP - Frequently Asked Questions about the Accellion Data Breach
- UCOP Investigating Extent of Data Breach
- UC Offers Free Protection From ID Theft
- How to Protect Your Credit
- 5 Ways to Protect Online Information
The shift to remote learning, remote instruction, and remote work and the associated rise in use of personal devices to do University work has led to an increased risk to UC Merced’s information security posture. We want to remind you that the threat of social engineering, phishing and disinformation campaigns surrounding Coronavirus (COVID-19) remains high. Please be on the alert!
Across the globe, there is an increased amount of phishing and ransomware activities initiated by criminal organizations and nation state actors. These sophisticated attempts are targeting COVID-19 researchers, health providers, and anyone who might have access to institutional resources and data assets mostly in the form of COVID-19 exposure notification messages. These activities are also confirmed by FBI through public service announcements.
In general, criminals and bad actors are using the COVID-19 pandemic to raise fear and concern via phishing emails and text messages. These scams might indicate that you have been infected and/or you were near someone that is infected with COVID19, say that found out about you due to social tracking, and instruct you to download a form and proceed immediately to the nearest hospital.
Even before COVID-19 contact tracing programs have legitimately been rolled out in Merced, cyber criminals have been sending emails alleging that staff members have been infected. These malicious messages—ostensibly from institutions such as the World Health Organization (WHO), or Center for Disease Control (CDC), University of California faculty and staff, or even medical professionals—are intended to spread disinformation and disrupt economic recovery efforts. Many instances of this type of cyber crime are also very targeted, such as the Social Services Letter circulating in Merced County indicating COVID-19 testing is mandatory for all households and failure to comply will result in a suspension of benefits.
Please be aware that the United States government and medical professionals and institutions do not do any social tracking of the COVID-19 virus. Hackers will say that they traced you down via your phone or a charge card receipt for a location or someone that you might know. Typically, they try and keep everything as vague as possible so that you will click on the link included with the message. Keep these tips in mind:
- Please do not click on any suspicious links in messages. Read messages critically, even if they’re about COVID-19.
- Visit websites that you know and trust such as UC Merced’s Campus Covid-19 Updates or the Centers for Disease Control and Prevention for legitimate information.
- Do not respond to texts, emails, or calls about checks or the government stimulus package. This is another way for actors to obtain your personal information and infect your devices with malicious code.
- Ignore online offers for vaccinations and home-test kits. No such approved products exist currently.
- Hang up on robocalls.
- Visit our Phishing Email Archive: https://it.ucmerced.edu/phishing#heading-3 for regularly-updated examples of phishing attempts and stay informed to stay safe!
UC Merced Information Security has noticed a large spike in phishing scams and spam emails using a subject line containing “Coronavirus” or “COVID-19” as the lure to entice our campus community to click on links, download files, and open attachments. Many of these emails impersonate legitimate institutions and authorities.
One specific threat, reported by the Health Sector Cybersecurity Coordination Center (HC3), is an alert that cyber criminals have already begun circulating links to a “Live Coronavirus - COVID-19 map” falsely claiming to be from Johns Hopkins University, which actually contains malware. This malware can steal your browser history, cookies, cryptocurrency and other credentials including email addresses, passwords and credit card numbers.
More generally, beware of emails and sites containing information about or selling products that would allegedly cure or prevent COVID-19. These are also potential sources of phishing and spam.
As always, we urge users to:
- Exercise caution when clicking on links or opening attachments, even if they look like they’re from someone you know
- Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message
- If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it
If you’re unsure if an email is legitimate or if you know for certain it isn’t, please report it directly to Information Security at email@example.com. For more information, be sure to visit our How to Spot a Phish page.