In late December, the UC Berkeley Financial System was breached and the personal information of approximately 80,000 students, faculty staff and vendors was accessed. This is not a shock in today’s age of cyber insecurity. However, what’s surprising is that UC Berkeley officials abstained from notifying victims of the attack until just last Friday, meaning that two whole months passed in which the students’ finances could have been used without their knowledge. This is a chilling possibility.
And according to SF Gate, officials claim there is no evidence that the parties responsible for the attack copied any of the information. This may sound reassuring, but it’s equivalent to a child asserting that there is no evidence she dropped your toothbrush in the toilet, despite it dripping and you definitely hearing a splash. You can’t prove it, but the danger is pretty clear.
The university is now urging victims through email to keep an eye on their bank accounts while offering a credit protection service free of charge. But, as mentioned earlier, it could be too late. So what compelled the administration to withhold this information and leave its constituents at risk?
Some argue that leaking to the public the fact that they were breached could put their system at even greater risk than not doing so.
If, for example, a patch was left open on the system, letting everyone know right away before it was closed could have potentially presented an opportunity for other cyber attackers to exploit the system while it was vulnerable. Similar to a disease outbreak, the public knowing too little information could be more beneficial than knowing too much of it. Senior Director of Strategic Communications Janet Gilmore spoke to this point in an interview with the UCSD Guardian.
“With any cyber attack, it takes time to determine the scope of the attack, restore the integrity of the system [and] identify the individuals potentially affected,” Gilmore explained. “Once the university discovered the attack, it promptly hired an outside computer investigation firm to ensure the process could move along as quickly as possible and to help confirm that the attack was fully contained and the intruders expelled from the system.”
However, according to Mercury News, the intrusion was detected within 24 hours of it happening and the system was patched in early January, just a week or two later. That still leaves approximately a month and a half in which the victims could begin the process of tracking their accounts and protecting their credit but didn’t know they had a significant reason to.
Regardless, maybe we shouldn’t be shocked, as this isn’t the first time a cyber attack at the university went unannounced for a perplexing amount of time. Just last September, the campus’ server was breached, yet the public wasn’t notified until December. UC Berkeley’s system gets compromised as often as the students’ trust in its administration does — or at least what’s left of it.
We provide officials with all of our private and valuable information, confident that they’ll protect it from theft and third-party use, but their system fails and we have to merely accept that this is the era of technology that we live in. But then, when our information is accessed and potentially stolen, we, the sole owners of it, are not made aware of the new risk presented to our life until weeks or even months later.
With such a troubling situation happening twice in a mere six months, members of the UC community are growing tired of and possibly apathetic toward the lack of protection and communication from the administration. It is time that the university prioritizes this issue by allocating resources toward guarding our private information and promptly admitting when it fails to do so.