As federal law enforcement conducts an investigation, many details of the Accellion data breach—which resulted in stolen personal information of a range of UC affiliates including students, their families, faculty and staff—remain unclear
The UC was affected by a nationwide cyberattack that impacted 300 other organizations, including other university systems such as the University of Colorado system. The University of California Office of the President (UCOP) was utilizing Accellion’s File Transfer Appliance (FTA), and hackers exploited vulnerabilities in this product to seek financial gain.
The personal information that hackers may have obtained include names, birthdates, addresses, Social Security numbers, credit card and bank account information. Federal law enforcement is investigating to determine who was affected, and the UC will notify these individuals once they have been identified.
The attackers sent emails to those who had their information stolen and others who may not have been compromised, threatening to release the stolen information to the dark web. Some stolen information has been published online, according to the UC.
UC Davis IT prevented phishing emails containing threats to release personal information from reaching UC Davis email account inboxes, according to Vice Provost and Chief Information Officer Viji Murali.
“We did receive a few emails threatening our users,” Murali said in an email. “We immediately prevented those phishing emails from being delivered to your inboxes so users would not click on the links by mistake and get hacked.”
The UC Davis administration stressed that UCOP, not UC Davis, utilized the Accellion software which resulted in the data breach. Chancellor Gary May emphasized that the Davis campus’ systems have been secure.
“I do want to make one thing clear: UC Davis systems were not breached,” May said via email. “The data that was stolen was from UCOP systems and affected UC campuses to varying degrees.”
Murali echoed May’s sentiment, explaining that affiliates’ personal information was stolen from UCOP systems and asserting that UC Davis systems played no role in the breach.
“As Chancellor May indicated, we were not attacked,” Murali said via email. “We are working closely with UCOP to understand the incident and to follow the recommendations provided to us on how to secure our campuses. We also have multiple tools and applications in place to assist us.”
Murali recommended that all students, faculty and staff take unilateral security measures including theft protection and resetting passwords. Murali extended this recommendation to students’ families, whose personal information could be compromised as well, according to UCnet. UCOP paid for all faculty, staff and students to get Experian IdentityWorks, according to Murali.
“Students, faculty and staff should use multifactor authentication (DUO), change their passwords often and use unique passwords for all of their accounts and applications,” Murali said via email. “This is especially true for your bank accounts and credit card websites. You should also sign up for Experian based on the link provided by UCOP to protect your identity. This is especially important now.”
Ashley Bilbrey, a first-year computer science student and member of the UC Davis cybersecurity club, experienced her second data breach as a result of Accellion’s FTA, despite taking extra precautions against cyberattacks.
“This is also not the first time I’ve had my data breached from this specific vulnerability,” Bilbrey said. “I used to work at Kroger, and they also used this product.”
Bilbrey said she fears identity theft and follows the best cybersecurity practices possible to protect herself against cyber attackers.
“I’m mostly just scared that my identity is going to be taken and I’ll be a victim of identity theft,” Bilbrey said. “As someone who is interested in cybersecurity, I take really great care to protect myself, protect my identity. I try to make myself the hardest target. So it’s disappointing to me when there’s a breach and I couldn’t have stopped it because it wasn’t my responsibility.”
While it is a difficult task to determine which individuals’ information was stolen, Bilbrey said that providing UC community members with Experian identity theft protection for one year is an insufficient response.
“The use of Accellion FTA should have been discontinued in January when there were first notifications that there were vulnerabilities in this service,” Bilbrey said. “Post-notification of this breach, in specific to the university, I am disappointed that they only provided one year of identity protection coverage, as we will need to deal with this the rest of our lives.”
Written by: Rebecca Gardner — firstname.lastname@example.org