Education institution releases more details after third-party Accellion hack

The University of California has released further details related to a data breach following a cyber-attack on third-party provider Accellion

The University of California (UC) has released further details of a data breach affecting staff and students, confirming that sensitive information was taken in the attack.

As previously reported by The Daily Swig, the institution suffered a data leak in April after malicious actors gained unauthorized access via third-party service Accellion file transfer appliance (FTA).

The UC released further information last night (May 10) about the incident, which affected employees (current and former) and their dependents, retirees and beneficiaries, and current students, as well as other individuals who participated in UC programs.

Impacted information “may include” full names, addresses, telephone numbers, Social Security numbers, driver’s license information, passport information, financial information including bank routing and account numbers, health and related benefit information, disability information and birthdates, as well as other personal information, said the UC.

Individuals who applied for courses starting in the academic year 2021-22 may have also had their contact details, including names, phone numbers, and addresses, stolen.

More secure solution

In light of the cyber-attack, UC said it has stopped using Accellion FTA and is transitioning to a “more secure solution”.

The university is offering free credit monitoring to all those affected and will be holding workshops designed to help individuals protect themselves against possible identity theft.

The UC has not confirmed the number of people involved, but has confirmed it is conducting an investigation with the help of the FBI and “cybersecurity experts”.

The statement reads: “These investigations take time, and we are working deliberately, while taking care to provide accurate information, as quickly as we can.

“Within the next 45-60 days, we expect to send appropriate individual notifications through Experian to those people whose personal information was impacted, where current contact details are available to the university.”

Read more of the latest data breach news

UC added: “When we discovered the issue, we took the system offline and patched the Accellion vulnerability. There is no evidence that other university systems were impacted.

“We have decommissioned FTA, and are in the process of transitioning to a new file transfer system with enhanced security controls, deploying additional system monitoring broadly throughout our network, conducting a security health check of certain systems, and enhancing security controls, processes, and procedures.

“We are also reviewing and updating our security policies, procedures and controls as appropriate.”

READ MORE UC Berkeley confirms data breach, becomes latest victim of Accellion cyber-attack