Systemwide Data Breach Poses Threat to Students’ Personal Information

The University of California released a statement on March 31 stating they were impacted by a cyber attack that affected at least 300 organizations including several universities, such as Stanford and the University of Maryland, Baltimore, and many government agencies. This data breach of personal information was due to a vulnerability in Accellion’s system, a third party vendor that handles secure file transfers. 

Those behind the attack have published online screenshots of personal information onto a website called Clop, which can range from Social Security numbers to bank account information. 

On April 1, UC San Diego released an email to school employees and staff regarding the cyber attack, stating UC employees were victims of the data breach. In the email, they said they were working closely with the UC Office of the President (UCOP) regarding the incident and would communicate with any employees involved in the cyber attack. 

A day later, on April 2, UCOP sent an email to the UC community regarding the cyber attack. They recommended signing up for Experian ID, a credit monitoring system that has been offered to the UC community for one free full year of membership. This service is available to students with a Social Security number. 

Prior to UCSD’s announcement, many students had already received suspicious emails, mentioning their personal information had been hacked. Seeing as the emails were sent to spam folders, students were able to find out about the breach due to conversations on Reddit. 

A third year student, who asked to remain anonymous, received an email on March 30 that threatened to publish their information if they did not click on an external link. 

The email included the following text: “The UC has been hacked and is not taking action to resolve the problem. Your information will be published to the darknet.”. 

Although UCSD recommended signing up for a credit monitoring program, the student felt unsafe putting more of their information online so they deleted their account. 

Alexandra, a second year student who asked to be identified by her first name, received a similarly suspicious email on March 30. The email featured unusual font, grammar mistakes, another external link, and a “sense of aggression from the sender.” 

In a statement to the Triton, she explained that she expected the school to have had a better system to handle these situations. “Many students, including myself, know very little about what is actually going on regarding the breach which is concerning since we are the ones affected by it,” Alexandra said. 

In the UC’s follow up FAQ email sent on April 5, they answered common questions regarding the cyber attack, including who else could be affected by the data breach. 

“Family members who are listed as dependents or beneficiaries on employee or retiree accounts, or who are listed on student paperwork, may be affected,” said UC officials. 

Currently, the UC is working with local and federal law enforcement as well as third-party vendors to investigate the incident. They are reviewing security controls as well as implementing additional security measures to prevent future hacking attacks in the future, as they explain in the FAQ. Only after completing their investigation does the UC think they will be able to properly assess the extent of data and individuals impacted. 

However, Alexandra remains concerned about the university’s lack of guidance.  “Providing credit monitoring is great, but only helpful if the person hasn’t been targeted. No information or assistance has been released on what a student should do if they are a victim of identity theft or another consequence as a result of the breach,” she said. “I’ve made sure to update passwords and secure emails and bank information but at the moment I’m not reassured that the school will assist students if they are targeted directly.”

This is not the first time Accellion has been a victim of hacking. Last March, Wired released an article that revealed Accellion had been experiencing data breaches since December 2020. In response to these breaches, Accellion released a statement in January mentioning they “released a patch within 72 hours to the less than 50 customers affected.” They recommended that their customers update to another firewall platform for “highest level of security and confidence.” 

This is also not the first time that UCSD has been a victim of a data breach. In 2018, the University was involved in a cyber attack in which they notified 619 of their patients that their personal information had been leaked by Nuance Communications, a computer software company. It was determined that a former Nuance employee obtained access to the information of 45,000 individuals, including UCSD patients.

In addition to utilizing credit monitoring softwares and the University-provided code, UC President Michael Drake recommends that students change passwords, check their spam for emails, and place fraud alerts on credit accounts. 

An identity theft protection workshop hosted by UCSD and UCSD health was held on April 8 at 2 p.m. The workshop was to teach students how to register for credit monitoring, how to use the credit monitoring service, and how to take other steps to protect themselves. The workshop will not address specifics of the data breach incident. Click here for updated FAQs and information.. 

Any suspicious emails should be sent to abuse@ucsd.edu. 

Additional questions regarding the data breach and security can also be sent to communications@ucop.edu. 

Vanessa Gaeta is a staff writer for The Triton. You can follow her @_vnsgg.