In December 2020, the University of California experienced a data breach due to a vulnerability in a third-party provider, Accellion. The incident exposed personal data of students and staff, affecting the university community and raising concerns about data privacy. The breach highlighted the importance of robust security measures to protect sensitive information and prompted the university to take action to mitigate the impact on those affected.

How many accounts were compromised?

The breach impacted data related to approximately 547,000 individuals.

What data was leaked?

The data exposed in the breach encompassed dates of birth, education levels, email addresses, ethnicities, genders, job titles, names, phone numbers, physical addresses, and social security numbers.

How was University Of California hacked?

The Accellion data breach at the University of California occurred when cybercriminals exploited security vulnerabilities in the file transfer appliance, which was responsible for transferring sensitive information. The attackers targeted over 100 organizations, including universities, government agencies, and private companies. In response to the breach, the University of California implemented its incident-response procedure, patched the security loophole with an update from Progress Software, and notified the FBI.

University Of California's solution

In response to the data breach, the University of California took several measures to enhance security and prevent future incidents. They removed the vulnerable Accellion file transfer appliance and shifted to a new vendor's system with improved security controls. The university also deployed additional system monitoring throughout its network and endpoints, conducted security health checks of systems containing confidential data, and enhanced security controls, processes, and procedures. Furthermore, they implemented policy changes and improved their security management programs to ensure key leadership understood their roles in overseeing cybersecurity. The University of California also offered a free one-year subscription to Experian, an identity protection service, to possible victims of the breach, which was later extended for an additional two years.

How do I know if I was affected?

The University of California notified individuals believed to be affected by the data breach. If you are a member of the university community and have not received a notification, you may visit Have I Been Pwned to check if your credentials were compromised in the breach.

What should affected users do?

In general, affected users should:

• Change Your Passwords: Immediately update your passwords for all affected accounts. Ensure that the new passwords are strong and unique, not previously used on any other platform.

• Reset Passwords for Other Accounts: If you've used the same or similar passwords for other online accounts, reset those as well. This is crucial as attackers often try using stolen passwords on multiple sites.

• Enable Two-Factor Authentication (2FA): Activate 2FA on all affected accounts. Consider enabling this additional security feature on all other important online accounts to significantly reduce the risk of unauthorized access.

For specific advice on the University of California's data breach, contact their support by emailing ucinfo@applyucsupport.net.

Where can I go to learn more?

If you want to find more information on the University of California data breach, check out the following news articles:

• UCOP General Notice CA AG

• UC extends Experian subscription for those affected by 2020 data breach - Daily Bruin

• UCLA confirms it was hit by wide-ranging cyberattack but offers few details - Los Angeles Times