May 10, 2021 (updated May 21, 2021)

To the UC community:

As we recently disclosed in communications to students, employees and their dependents, and retirees, the University of California (UC) was recently subject to a cybersecurity attack involving its Accellion file transfer appliance (FTA). This post provides up-to-date information on what happened and what we are doing.

What Happened?

On December 24, 2020, UC’s Accellion FTA was the target of an international attack, where perpetrators exploited a vulnerability in the application. Over 100 organizations were similarly attacked, including universities, government agencies and private companies. In connection with the attack, certain UC data was accessed without authorization. We identified on March 29, 2021 that some of this data was posted on the Internet.

After the University discovered the issue, we took the system offline and patched the Accellion vulnerability. We are in the process of transitioning to a more secure solution. The University is cooperating with the FBI and working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted and to whom the data belongs.

There is no evidence that other University systems were impacted.

To inform and protect the UC member community, the University notified the community via email, hosted interactive workshops at several campuses and posted information about the event and how individuals can protect themselves to its websites. The University also arranged for free credit monitoring and identity theft protection services for employees (current and former) and their dependents, retirees and beneficiaries, and current students through Experian IdentityWorks. Between May 12 and May 14, 2021, these individuals received an email from Experian on behalf of the University reminding them about the available services and providing a unique activation code. The University has established a dedicated call center to answer questions regarding the event and these services.

What Information Was Involved?

While the investigation is ongoing, evidence shows that an unauthorized third party gained access to files that contain personal information relating to members of the UC community, including employees (current and former) and their dependents, retirees and beneficiaries, and students, as well as other individuals who participated in UC programs.

The impacted information may include full names, addresses, telephone numbers, Social Security numbers, driver’s license information, passport information, financial information including bank routing and account numbers, health and related benefit information, disability information and birthdates, as well as other personal information provided to UC. Information provided by students who participated in the 2020 University of California Undergraduate Experience Survey (UCUES) was also impacted and posted to the internet by the threat actor.

We are also separately notifying certain individuals whose UC applications were impacted. For individuals that submitted applications for admission to the 2020-21 school year, their responses to questions in their application were impacted. For individuals that started or submitted applications for the 2021-22 school year, their name, email address and phone number were impacted. Notifications for these individuals will contain information pertinent to them.

What We Are Doing

The University is working to identify and contact the community members whose personal information was impacted. These investigations take time, and we are working deliberately, while taking care to provide accurate information as quickly as we can. By mid-July, we expect to send, through Experian, appropriate individual notifications to those people whose personal information was impacted, where current contact details are available to the University.

In addition to implementing a new file transfer system with enhanced security controls, we are deploying additional system monitoring broadly throughout our network, conducting a security health check of certain systems and enhancing security controls, processes and procedures. We are also reviewing and updating our security policies, procedures, and controls.

What You Can Do

If you have already enrolled in the free credit monitoring and identity theft protection services with Experian, you do not need to re-enroll. For eligible UC community members that have not registered for these services, information about how to register was contained in the update email sent between May 12 and May 14, 2021.

We request that UC community members remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police.

Additionally, it is also always a good idea to be alert for “phishing” emails or phone calls requesting sensitive information, such as passwords, Social Security numbers or financial account information. These requests often come from a sender pretending to be a company you do business with or a person you know. We also recommend that you use multifactor authentication for your online accounts when offered.

We have also established a dedicated call center available toll free in the U.S. at (866) 904-6220 from 6:00AM to 8:00PM PT on Monday through Friday and from 8:00AM to 5:00PM PT on Saturday and Sunday. Members of the UC community may also send questions to communications@ucop.edu.  

**PLEASE NOTE: If you have already enrolled in the free credit monitoring and identity theft protection services with Experian, you do not need to re-enroll.

Additional Information

To protect against possible fraud, identity theft or other financial loss, you should always remain vigilant, review your account statements, and monitor your credit reports. Provided below are the names and contact information for the three major U.S. credit bureaus and additional information about steps you can take to obtain a free credit report and place a fraud alert or security freeze on your credit report. If you believe you are a victim of fraud or identity theft, you can contact your local law enforcement agency, your state’s attorney general, or the Federal Trade Commission. Please know that contacting us will not expedite any remediation of suspicious activity.

INFORMATION ON OBTAINING A FREE CREDIT REPORT

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit reports, visit www.annualcreditreport.com or call toll-free at +1 (877) 322-8228.

INFORMATION ON IMPLEMENTING A FRAUD ALERT OR SECURITY FREEZE

You may contact the three major credit bureaus at the addresses below to place a fraud alert on your credit report. A fraud alert indicates to anyone requesting your credit file that you suspect you are a possible victim of fraud. A fraud alert does not affect your ability to get a loan or credit. Instead, it alerts a business that your personal information might have been compromised and requires that business to verify your identity before issuing you credit. Although this may cause some short delay if you are the one applying for the credit, it might protect against someone else obtaining credit in your name.

In addition to a fraud alert, you may also consider placing a security freeze on your credit report. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing or other services.

A credit reporting agency may not charge you to place, temporarily lift, or permanently remove a security freeze.

To place a fraud alert on your credit report, you must contact one of the credit bureaus below and the other two credit bureaus will automatically add the fraud alert. To place a security freeze on your credit report, you must contact all three credit bureaus below:

Equifax:
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
+1 (800) 525-6285
www.equifax.com

Experian:
Credit Fraud Center
P.O. Box 9554
Allen, TX 75013
+1 (888) 397-3742
www.experian.com

TransUnion:
TransUnion LLC
P.O. Box 2000
Chester, PA 19016-2000
+1 (800) 680-7289
www.transunion.com

To request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. If you have moved in the past five (5) years, the addresses where you have lived over those prior five years;
  5. Proof of current address such as a current utility bill or telephone bill; and
  6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.).

You may also contact the U.S. Federal Trade Commission (“FTC”) for further information on fraud alerts, security freezes, and how to protect yourself from identity theft. The FTC can be contacted at 400 7th St. SW, Washington, DC 20024; telephone +1 (877) 382-4357; or www.consumer.gov/idtheft.

ADDITIONAL RESOURCES

Your state attorney general may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your state attorney general, or the FTC.

California Residents: Visit the California Office of Privacy Protection (https://oag.ca.gov/privacy) for additional information on protection against identity theft.

Iowa Residents: The Attorney General can be contacted at Office of Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines, Iowa 50319, +1 (515) 281-5164, www.iowaattorneygeneral.gov.

Kentucky Residents: The Attorney General can be contacted at Office of the Attorney General of Kentucky, 700 Capitol Avenue, Suite 118 Frankfort, Kentucky 40601, www.ag.ky.gov, Telephone: +1 (502) 696-5300.

Maryland Residents: The Attorney General can be contacted at Office of Attorney General, 200 St. Paul Place, Baltimore, Maryland 21202; +1 (888) 743-0023; or www.marylandattorneygeneral.gov.

Massachusetts Residents: Under Massachusetts law, you have the right to obtain any police report filed in connection to the incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

North Carolina Residents: The Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; +1 (919) 716-6400; or www.ncdoj.gov.

New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA), which governs the collection and use of information pertaining to you by consumer reporting agencies. For more information about your rights under the FCRA, please visit www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.

Oregon Residents: The Attorney General can be contacted at Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, +1 (877) 877-9332 (toll-free in Oregon), +1 (503) 378-4400, or www.doj.state.or.us.

Rhode Island Residents: The Attorney General can be contacted at 150 South Main Street, Providence, Rhode Island 02903; +1 (401) 274-4400; or www.riag.ri.gov. You may also file a police report by contacting local or state law enforcement agencies.