OAKLAND, Calif.--(BUSINESS WIRE)--As the University of California (UC) previously disclosed in communications to students, staff and faculty, and retirees in early April, UC experienced a security event with its Accellion file transfer appliance (FTA). This release provides up-to-date information on what happened and what we are doing.
On December 24, 2020, UC’s Accellion FTA was the target of an international attack, where perpetrators exploited a vulnerability in the application. Over 100 organizations were similarly attacked, including universities, government agencies and private companies. In connection with the attack, certain UC data was accessed without authorization. We identified on March 29, 2021 that some of this data was posted on the Internet.
The University values privacy and security and is enhancing the safeguards and protections of its information and systems. The University has decommissioned the Accellion FTA and is in the process of transitioning to a more secure solution. The University is cooperating with the FBI and working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted and to whom the data belongs.
Because protecting the UC community is a priority, the University notified the community via email, hosted interactive workshops at several campuses and posted information about the event and how individuals can protect themselves to its websites. The University also arranged for free credit monitoring and identity theft protection services for the entire University community through Experian IdentityWorks.
In 48 hours, individuals will receive an email from Experian on behalf of the University. It will remind individuals about the available services and provide a unique activation code that can be used to access the same services. The prior universal code will be retired. The University has established a dedicated call center to answer questions regarding the event and these services. Many UC community members have signed up for this service and we encourage anyone who hasn’t enrolled to sign up now.
What Information Was Involved?
While the investigation is ongoing, evidence shows that an unauthorized third party gained access to files that contain personal information relating to members of the UC community, including employees (current and former) and their dependents, retirees and beneficiaries, and current students, as well as other individuals who participated in UC programs.
The impacted information may include full names, addresses, telephone numbers, Social Security numbers, driver’s license information, passport information, financial information including bank routing and account numbers, health and related benefit information, disability information and birthdates, as well as other personal information.
What We Are Doing
In addition to notifying individuals and providing free credit monitoring, the University is working to identify the community members whose personal information was impacted and their contact information. These investigations take time, and we are working deliberately, while taking care to provide accurate information, as quickly as we can. Within the next 45 – 60 days, we expect to send appropriate individual notifications through Experian to those people whose personal information was impacted, where current contact details are available to the University.
We are also separately notifying individuals who started or completed applications for the 2021-22 school year whose contact information (name, email address and phone number) was impacted. Their notification will contain information pertinent to those individuals.
When we discovered the issue, we took the system offline and patched the Accellion vulnerability. There is no evidence that other University systems were impacted. We have decommissioned FTA, and are in the process of transitioning to a new file transfer system with enhanced security controls, deploying additional system monitoring broadly throughout our network, conducting a security health check of certain systems and enhancing security controls, processes and procedures. We are also reviewing and updating our security policies, procedures and controls as appropriate.
What You Can Do
If you have already enrolled in the free credit monitoring and identity theft protection services with Experian, you do not need to re-enroll. For UC community members who have not registered for these services, information about how to register will be contained in the update email being sent in the next 48 hours.
We request that UC community members remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police.
Additionally, it is also always a good idea to be alert for “phishing” emails or phone calls by someone who acts like they know you or are a company that you may do business with, and requests sensitive information, such as passwords, Social Security numbers or financial account information. We also recommend that you use multifactor authentication for your online accounts when offered.
For additional information about the event and how to protect yourself, including by accessing the free credit monitoring and identity theft protection services offered by the University through Experian IdentityWorks, click here. A dedicated call center also is available toll free in the U.S. at (866) 904-6220 from 6:00AM to 8:00PM PT on Monday through Friday and from 8:00AM to 5:00PM PT on Saturday and Sunday.