UC System Information Compromised in Accellion Data Breach After Nation-wide Cybersecurity Attack

Photo from UCnet / Website

The University of California Office of the President (UCOP) announced that UC was subject to a nation-wide cybersecurity attack on March 31. The perpetrators “gained access to files and confidential personal information by exploiting a vulnerability” in Accellion’s File Transfer Appliance (FTA), which is used by the UC for transference of sensitive information. 

“The attackers are threatening to publish, or have published, stolen information on the dark web in an attempt to extort organizations and individuals,” UCOP said in a UC-wide email on April 2.

Individuals who receive emails threatening to publish stolen personal information are advised to forward them to their local information security department.

According to UC, the stolen information “includes but is not limited to names, addresses, telephone numbers, birth dates, Social Security numbers and bank account information for a range of UC populations, including employees and their dependents and beneficiaries, retirees and their beneficiaries, students and their families, and potentially other individuals with connections to UC.”

In response to the data breach, UC is providing members of the UC community a complimentary one-year subscription to Experian IdentityWorks, a credit monitoring and identity theft protection service. The service offers identity restoration as well as 24/7 search for trading and selling of personal information on the dark web.

“Those that have enrolled in the monitoring service are now receiving alerts that their social security numbers and other sensitive information was found on the dark web,” Chief Information Security Officer and Director of Information Security Joshua J. Drummond said. “The same week this incident was announced, many UC employees also got notified that their health insurance provider ‘Health Net’ had a similar incident and are also providing a year of monitoring.”

A former New University staff member and UC employee spoke with the New University regarding the leak of her Social Security number.

“Through this past year, the disregard for students has become abundantly clear,” she said. “From not supporting students in their rent crisis and hefty tuition rates, not giving Black students the proper resources and recognition during a time of intense trauma, and this frankly embarrassing lack of protection for student privacy, the higher ups of the UCs have shown that they are not for the students.”

Outside of signing up for Experian, UC is recommending individuals to take further steps to prevent identity theft, including placing fraud alerts on credit files, monitoring bank account statements and freezing credit reports across all three nationwide credit bureaus.

UCI Health has created a printable sheet of preventative measures and links to resources for the UC community to protect themselves from identity theft. UCI OIT Security has also provided additional resources to minimize the impact of a personal data leak.

Despite the UC notifying students and faculty of the data breach on March 31, the information was not widespread until students took to social media platforms, such as Twitter, to alert alumni and other members of the UC community.

In response to the cyber attack, UCSC senior Hannah Stitt started a petition for UC to extend their one-year free identity monitoring to a lifetime subscription on April 22. 

“One year of credit monitoring will not protect us, the threat of identity theft now that our [Social Security numbers] have been exposed will not suddenly disappear after one year. We are at a greater risk of having our identities stolen for the rest of our lives,” Stitt said in the petition.

In mid-December 2020, Accellion discovered a P0 vulnerability in their FTA software after it was exploited in a cybersecurity attack. The incident was the beginning of a “concerted cyberattack” on the FTA that continued into January 2021.

Accellion issued a statement on Feb. 22 identifying UNC2546 as the party responsible for the series of previously reported attacks.

“Accellion has patched all known FTA vulnerabilities exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors,” Accellion said. 

In a Feb. 25 press release, Accellion announced that its legacy FTA software’s End Of Life will be effective starting April 30, 2021.

“The FTA software is Accellion’s 20-year-old legacy product. For the past three years, Accellion has been attempting to move its existing FTA customers over to our modern and more secure platform, Kiteworks,” the press release said.

According to the Feb. 22 press release, out of 300 total FTA clients, fewer than 100 were victims to the cybersecurity attack and fewer than 25 were subject to “significant data theft.”

UC is among a large group of universities, including Stanford University and the University of Miami, who use third-party transfer services provided by Accellion and have been affected by the data breach. 

UCLA Health was victim to a network breach compromising 4.5 million patients in 2015. UCLA began investigating suspicious activity in conjunction with the FBI in October 2014, and officially determined that the network containing personal information of UCLA Health affiliates was compromised on May 5, 2015. Social security numbers, health care information and other personal information were also compromised at the time.

Similar to UC’s offer with Experian IdentityWorks, UCLA also offered affected individuals a financed year long subscription to an identity protection service, MyIDCare.

Class action complaints were filed against the Regents of the University of California on July 24, 2015. The legal suit resulted in a settlement agreement in which UCLA agreed to pay $7.5 million in claims, purposing $5.5 million to new network security improvements and $2 million to class action claims.

According to a FAQ posted on the UCnet website, UC is working with local and federal law enforcement and third-party vendors to investigate the data breach. As of April 26, no litigation plans have been officially announced.

Questions about the cybersecurity incident can be forwarded to communications@ucop.edu. Responses will be posted to the UCnet website.

Chelsea Pan is the 2020-2021 Managing Editor. She can be reached at manager@newuniversity.org.

Dhanika Pineda is a 2020-2021 Campus News Co-Editor. She can be reached at campusnews@newuniversity.org.