Data from survey responses could be published or sold for financial gain by hackers
Participants in one of UC Davis’ undergraduate experience surveys were targeted by the recent Accellion cyberattack, according to a May 26 campus-wide email from Pablo Reguerín, the vice chancellor of student affairs. Accellion is an IT cybersecurity company.
The undergraduate experience survey, conducted between April 20 and July 16, 2020, asked students personal questions regarding academic performance, mental health, diversity and campus life. The data from these survey responses, which also included names, email addresses and student IDs, could potentially be published or sold by the hackers.
Targeted individuals also received an email from UC President Michael Drake regarding resources to ensure cyberdata protection.
“I strongly encourage students who receive [this email] to take it seriously and follow [Drake’s] recommendations,” said Chancellor Gary May via email. “And don’t be afraid to reach out for mental health support should you need it. Everything will be okay.”
Dana Topousis, the chief marketing and communications officer at UC Davis, urged students to check the UC site regularly for updated information about the Accellion attack.
“The UC has created a microsite with frequently asked questions and information about how to protect yourself moving forward,” Topousis said.
According to a recent article in The California Aggie, the Accellion attack previously enabled hackers to access information including credit card and bank details, birthdays, Social Security numbers and addresses.
The recently updated UC statement had noted that some of this personal data was published on the Internet on March 21. The Accellion system was then taken offline and the vulnerability was repaired, but the UC—which is cooperating with FBI officials to investigate the matter—has said it is currently seeking a more long-term solution to the issue.
The UC has also established “free credit monitoring and identity theft protection services for former and current employees […] and current students” through Experian IdentityWorks, a resource linked in emails to relevant individuals between May 12 and May 14.
The cyberattack affected many other institutions worldwide, from companies to government agencies to hospitals, according to Inside Higher Ed.
The attack, first conducted in December 2020 and again in January 2021, also targeted institutes of higher education like the University of Colorado, Yeshiva University, the University of Miami, the University of Maryland, Baltimore County and the Stanford University School of Medicine.
Cybercriminals subsequently published the data collected from these institutions on a website called C10p. Inside Higher Ed said the aforementioned information included “academic transcripts, medical records, research grants and employment contracts.”
The individuals running the C10p website have been known to threaten people with publishing such data if they do not receive ransom money.
This tactic of using harmful software to block access to computer systems until ransom money is received has been used by other cybercriminal groups like Ryuk, Netwalker and DoppelPaymer using an “.onion domain.”
Melissa Lutz Blouin, the director of news and media relations at UC Davis, spoke about practical ways that students can protect their personal data. She recommended they be vigilant about phishing scams, which often contain inquiries about sensitive information or link to websites demanding such personal details.
Blouin also urged students to use Duo, a multi-factor authentication system that is designed to protect against hackers.
“For many of us, our homes are now our offices,” Blouin said via email. “Keep your devices as secure at home or on the road as you would in the office. Lock your computer screen before leaving it unattended, and take your phone and other portable items with you or lock them up. Password protect all of your devices, using the strongest authentication available.”
Written by: Rebecca Bihn-Wallace – firstname.lastname@example.org