The University of California Office of the President sent a UC-wide email to students, staff, and academics on April 2 to inform the community of a nationwide cyberattack that compromised their personal information. Approximately 300 organizations were targeted in this cyber attack on Accellion’s File Transfer Appliance, a platform designed for sharing and transferring sensitive files. 

“The perpetrators gained access to files and confidential personal information by exploiting a vulnerability in Accellion’s program,” Michael V. Drake, the UC president, wrote in the email. “At this time, we believe the stolen information includes but is not limited to names, birth dates, Social Security numbers, and bank account information. The attackers are threatening to publish, or have published, stolen information on the dark web to extort organizations and individuals.”

In an attempt to help affected UC community members protect their identity and information, the University of California provided a complimentary one-year subscription to Experian IdentityWorksSM. By combing through the dark web to cross-examine personal information provided by users, the platform offers identity protection, credit monitoring, identity restoration, and theft insurance, among other things. 

To further assist members of the UC community in safeguarding their data and information, the UCOP hosted a virtual workshop on April 8 centered around Identity Theft Protection. The workshop, hosted by UC San Diego’s Chief Information Security Officer Michael Corn and Chief Information Officer Vince Kellen, centered around walking UC community members through registering for Experian and answering participants’ questions. Questions regarding the data breach that were unable to be answered by Corn and Kellen were forwarded to the UCOP for further evaluation.  

Corn explained that most email addresses already exist on the dark web in this day and age. The availability of email addresses on the dark web is typically what leads to spam emails filling up one’s inbox. Corn emphasized that the relative danger here is low in comparison to other information becoming available on the dark web.  Other than alerts about one’s email address, it is imperative to pay close attention to every security alert that Experian may send your way.

“I would say that the majority of the questions that we received so far have been, ‘Holy smokes, you told me there has been a data breach, and I am going someplace and giving them my sensitive data,’” Corn said. “ It’s a good reason to stop and ask yourself, ‘What are they doing with this data?’ […]  They are asking for this personal information here so they can verify that you are who you say you are. As we all know, no system is perfectly safe. But, […] the theoretical risk that something could happen to Experian doesn’t — it doesn’t balance well with the actual and immediate value of signing up for the service.”

Further, Corn urged the UC community to sign up their familial relations with whom they are financially entangled (e.g., a spouse, significant other, adult child, minor child, or parent). The UCOP also recommends placing identity fraud alerts with a credit bureau. 

The UCOP believes that the party responsible for the data breach primarily attacks by sending threatening emails to individuals associated with the approximately 300 targeted organizations. The act of trying to gain access to one’s personal and vulnerable information by sending emails pretending to be someone else is commonly referred to as phishing. 

Phishing scams can be recognized by paying close attention to the available details in the email or text message. While phishing emails make concerted efforts to appear as an honest company or organization seeking to contact the recipient for a legitimate reason, the provided hyperlinks or email addresses often do not align with that of the actual company. 

If the subject line seems irrelevant, an email is blank except for long, unrecognizable hyperlinks, or contains unrelated attachments, the email may be a phishing scam. Oftentimes, the email could also be cc’ed to individuals, not in the recipient’s contact list and could contain text that urges the recipient to take action to prevent some negative consequence from occurring. In these instances, the email may be a phishing scam. Avoid clicking on any links or attachments, and report the phishing attempt to the FTC.  

Incoming Eleanor Roosevelt College transfer student Nick Godinez, who has had a particular interest in computers and digital safety from a young age, further explained how phishing works and how clicking links in phishing scams can allow for damaging malware to be installed on one’s device. 

“[There’s] keylogging as well,” Godinez said. “They basically have something on the computer that’s able to read every key input. So, if you ever type in your Twitter login, a Zoom login, a bank login, it will come up on their side as well.”

Godinez was not shocked that the Accellion cyber attack infiltrated UC’s data.

“Looking at it now, certain academic institutions obviously don’t have the same cyber security as Google or big companies,” Godinez said. “Seeing that the UC System was definitely a victim of this huge nationwide crime, it’s not too surprising that it can happen. Definitely, it’s kind of disappointing to see they were easily swindled by a random person on a computer somewhere in a random state. In the future, they’ll probably […] increase their security online.”

Similar to Corn, Godinez emphasized the usefulness of implementing two-factor authentication in everyday use. 

“That’s a really important one,” Godinez said. “People overlook it because it’s another thing to just log in[to], but it’s really nice to have if you have, say, a laptop or another phone just to make sure that, if you are logging in, you’re able to confirm that that’s you.” 

When speaking about two-factor authentication, Corn emphasized that this is a step that can be taken to help one have more control of their online information.

“Even if your password is compromised, if you have two-factor authentication set up, you are making it an order of magnitude more difficult for someone to hack into your account,” Corn said. “Rather than racing out and immediately changing everything out of fear, take these two steps, gain control, and empower yourself.”

As far as storing passwords goes, Corn strongly suggests signing up for an encrypted online password manager. UCSD provides LastPass accounts to those interested, using one’s Active Directory username as their LastPass username. 

While centered around providing essential information, the hosts of the Identity Protection Workshop made it known that it is up to each individual to make an informed decision regarding what measures they would like to take online, if any, to safeguard their information and data. 

Those who have questions and may require help registering for Experian can call (866) 617-1923; those who believe they may have been affected in fraudulent manners by the cyberattack can contact Experian’s services at (877) 890-9332. The UCOP email address intended to answer data breach and identity protection inquiries is [email protected]. Additionally, UCNet has released a page of Frequently Asked Questions regarding the cyber attack and suggestions for measures to protect oneself. 

A workshop recording can be found here, along with other resources and suggested security measures. 

Associate Communications Director Erika Johnson referred The UCSD Guardian back to the official email statements from the UCOP when reached out to for comment.

Photo courtesy of Hazel Leung for The UCSD Guardian.