Updated July 1, 2021

We continue to add to and update our list of frequently asked questions and answers as more information becomes available:

If you have already registered with Experian, there is no need to take any further action to activate your monitoring. 

Questions about the individual notices sent June 30 and July 1

Notices were sent to individuals whose personal information was impacted in the event and in certain other cases where appropriate, and where current contact information was available.  

Out of an abundance of caution, in April and May, the University notified community members whose personal information was potentially impacted before the analysis of the impacted data was complete. The University also provided these individuals one year of free credit monitoring and identity theft protection.

The notifications were sent June 30 and July 1.

UC community members are being notified via USPS mail in cases where we have a current physical address. The University is sending the notification via email if we do not have a physical address but do have an email address.

The USPS mail and/or email were sent between June 30 and July 1 from Experian. The email address from Experian is “no-reply@marketing.csid.com” and notes that the University of California is the sender.  

The impacted personal information is identified in your notification letter. 

The University sent emails to UC community members whose information was potentially impacted between May 12-14 and May 21, 2021. Please check your inbox and/or spam folder to see if you received one. The email address from Experian is “no-reply@marketing.csid.com” and notes that the University of California is the sender. That email would have included an activation code.

If you did not receive an activation code, please contact Experian. We have established a dedicated call center available toll-free in the U.S. at (866) 904-6220 from 6:00 AM to 8:00 PM PT Monday through Friday and from 8:00 AM to 5:00 PM PT Saturday and Sunday.

There is no need to do so.

The University is covering the cost for one year of credit monitoring and identity theft protection. If you would like to continue the service beyond that, you can purchase those services following that period.

If you lost your activation code, please contact Experian. We have established a dedicated call center available toll-free in the U.S. at +1 (866) 904-6220 from 6:00 AM to 8:00 PM PT Monday through Friday and from 8:00 AM to 5:00 PM PT Saturday and Sunday.

No, you should not expect any further communication about the Accellion event.

General questions: What happened, what we are doing and what you can do

On December 24, 2020, the University’s Accellion file transfer appliance (FTA) was the target of an international attack.

Perpetrators exploited a vulnerability in the application and attacked over 100 organizations, including universities, government agencies, and private companies.

In connection with the attack, certain University data was accessed without authorization. On March 29, 2021, the University identified that some of this data was posted on the Internet.

The University values privacy and security and is enhancing the safeguards and protections of its information and systems. The University has decommissioned the Accellion FTA and is:

  • Transitioning to a more secure solution;
  • Cooperating with the FBI; and
  • Working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted, and to whom the data belongs.

Between May 12-14, the University sent emails to UC community members whose information was potentially impacted. For transparency reasons and out of an abundance of caution, the University continued to notify community members whose information was potentially impacted, as the investigation unfolded.

The University has identified individual community members whose information was impacted by the Accellion event and, as of June 30th and July 1st, 2021, sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. The University worked deliberately, while taking care to provide accurate information, as quickly as it could. 

While the investigation is ongoing, evidence shows that an unauthorized party gained access to files that contain personal information belonging to members of the University community, including employees (current and former) and their dependents, retirees and beneficiaries, and current students, as well as other individuals who participated in UC programs. The University has identified individual community members whose information was impacted by the Accellion event and, as of June 30 and July 1, 2021, sent the appropriate individual notifications via Experian. 

The impacted information may include full names, addresses, telephone numbers, Social Security numbers, driver’s license information, passport information, financial information including bank routing and account numbers, health and related benefit information, disability information, and birthdates, as well as other personal information provided to UC. Information provided by students who participated in the 2020 University of California Undergraduate Experience Survey (UCUES) was also impacted and posted to the internet by the threat actor.

As a result of a thorough investigation, the University has identified individual community members whose information was impacted by the Accellion event and, as of June 30 and July 1, 2021, sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. The University worked deliberately, while taking care to provide accurate information, as quickly as it could. 

The University was aware of the data posted to the Internet. Nonetheless, to gain a comprehensive and complete understanding of the full extent of the attack’s impact, a leading forensic cybersecurity firm was engaged to determine precisely what happened and what data was accessed or acquired without authorization. 

As part of that investigation, and to provide accurate information to University community members, the University began reconstructing what files may have been stored on the Accellion FTA over the relevant period, working with UCOP security teams and our external cybersecurity experts. As part of that effort, the University initiated a process to conduct a careful inspection of each and every file to determine what information was potentially affected in order to be able to provide accurate information and to give notice to each University community member whose personal information was impacted. 

In addition to using sophisticated tools to parse and search the data, the University also conducted a manual review of each and every file. Because much of the data was unstructured, and because of the volume of files, this was a labor-intensive and time-consuming process that involved hundreds of hours of detailed review and analysis. The University used its resources to complete this investigation and analysis as quickly as it could, and, as of June 30 and July 1, 2021, sent the appropriate individual notifications via Experian.   

While the investigation was ongoing, the University updated information about the event on its website and sent emails to the population of individuals whose information was potentially impacted, with guidance on steps to protect themselves along with free credit monitoring and identify theft protection services provided by Experian IdentityWorks.

When the University discovered the issue, it took the Accellion FTA offline and patched the vulnerability. There is no evidence that other University systems were impacted. The University is in the process of transitioning to a new file transfer system with enhanced security controls, deploying additional system monitoring broadly throughout its network, conducting a security health check of certain systems, and enhancing security controls, processes, and procedures.

Yes. When the University discovered the issue, it took the system offline and patched the Accellion vulnerability. There is no evidence that other University systems were impacted. The University is in the process of transitioning to a new file transfer system with enhanced security controls, deploying additional system monitoring broadly throughout its network, conducting a security health check of certain systems, and enhancing security controls, processes, and procedures.

Yes. The University has reported the matter to U.S. federal law enforcement.

The University asks that its community members remain vigilant against threats of identity theft or fraud. Additionally, it is always a good idea to be on alert for “phishing” emails or phone calls by someone who acts like they know you or are part of a company that you may do business with, and who requests sensitive information, such as passwords, Social Security numbers, or financial account information. You may report suspected phishing or social engineering attempts to the following email addresses depending upon your campus:

The University also recommends that you rotate passwords and use multifactor authentication for your online accounts when offered. 

The University is offering free credit monitoring and identity theft protection services through Experian IdentityWorks to the following groups:

  • Employees (current and former) and their dependents;
  • Retirees and beneficiaries;
  • Current students; and
  • Certain other individuals who participated in the University’s programs

These individuals were notified between May 12-14, 2021. An activation code was contained in the email. The former universal activation code (JCZGTC333) may no longer be used for new activations. 

As a result of a thorough investigation, the University has identified individual community members whose information was impacted by the Accellion event and, as of June 30 and July 1, 2021, sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. The University worked deliberately, while taking care to provide accurate information, as quickly as it could. 

The University is working to identify the community members whose information was impacted. These investigations take time, and the University is working deliberately to provide accurate information as quickly as it can. As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks.

University community members should remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police. You may also contact the credit reporting agencies to place a “fraud alert” or “security freeze” on your credit reports in the case of identity fraud or theft.

University community members should remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police.

You may contact the credit reporting agencies to place a “fraud alert” or “security freeze” on your credit reports.

  • File a police report, and ask for a copy for your records.
  • File a complaint with the Federal Trade Commission.
  • File a complaint with your state Attorney General.
  • Keep detailed records.
  • Keep detailed notes of anyone you talk to regarding this incident, what he / she told you, and the date of the conversation.
  • Keep originals of all correspondence and forms relating to the suspicious or fraudulent activity, identity theft, or fraud.
  • Retain originals of supporting documentation, such as police reports and letters to and from creditors. When requested to produce supporting documentation, send copies.
  • Keep old files, even if you believe the problem is resolved.

You may also contact affiliated financial institutions to protect or close any accounts that have been tampered with or opened fraudulently.

Additionally, it is always a good idea to be alert for “phishing” emails or phone calls by someone who acts like they know you or are a company that you may do business with, and who requests sensitive information, such as passwords, Social Security numbers, or financial account information. 

You may report suspected phishing or social engineering attempts to the following email addresses depending upon your campus:

INFORMATION ON OBTAINING A FREE CREDIT REPORT

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit reports, visit www.annualcreditreport.com or call toll-free (877) 322-8228. Through April 20, 2022, Experian, TransUnion and Equifax will offer all U.S. consumers free weekly credit reports through AnnualCreditReport.com to help you protect your financial health during the sudden and unprecedented hardship caused by COVID-19.

INFORMATION ON IMPLEMENTING A FRAUD ALERT OR SECURITY FREEZE

You can contact the three major credit bureaus at the addresses below to place a fraud alert on your credit report. A fraud alert indicates to anyone requesting your credit file that you suspect you are a possible victim of fraud. A fraud alert does not affect your ability to get a loan or credit. Instead, it alerts a business that your personal information might have been compromised and requires that business to verify your identity before issuing you credit. Although this may cause some short delay if you are the one applying for the credit, it might protect against someone else obtaining credit in your name.

In addition to a fraud alert, you may consider placing a security freeze on your credit report. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing, or other services. A credit reporting agency may not charge you to place, temporarily lift, or permanently remove a security freeze.

To place a fraud alert on your credit report, you must contact one of the credit bureaus below; and the other two credit bureaus will automatically add the fraud alert. To place a security freeze on your credit report, you must contact all three of the credit bureaus below.

Equifax:
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
(888) 766-0008
www.equifax.com

Experian:
Credit Fraud Center
P.O. Box 9554
Allen, TX 75013
(888) 397-3742
www.experian.com

TransUnion:
TransUnion LLC
P.O. Box 2000
Chester, PA 19022-2000
(800) 680-7289
www.transunion.com

To request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial, as well as Jr., Sr., II, III, etc.);
  2. Social Security Number;
  3. Date of birth;
  4. If you have moved in the past five (5) years, the addresses where you have lived over those prior five years;
  5. Proof of current address, such as a current utility bill or telephone bill; and
  6. A legible photocopy of a government-issued identification card (state driver license or ID card, military identification, etc.).

You may also contact the U.S. Federal Trade Commission (“FTC”) for further information on fraud alerts, security freezes, and how to protect yourself from identity theft. The FTC can be contacted at 400 7th St. SW, Washington, D.C. 20024; telephone (877) 382-4357; or www.consumer.gov/idtheft.

You may obtain information from the FTC and the credit reporting agencies listed above about placing a fraud alert and/or credit freeze on your credit report.

If you suspect or know that you have been a victim of identity theft or fraud, we urge you to report the incident to law enforcement, the Federal Trade Commission, and your state Attorney General.

Questions about credit monitoring and Experian

The University is offering free credit monitoring and identity theft protection services through Experian IdentityWorks to the following groups:

  • Employees (current and former) and their dependents;
  • Retirees and beneficiaries;
  • Current students; and
  • Certain other individuals who participated in the University’s programs

These individuals were notified between May 12-14, 2021. An activation code is contained in the email to sign up for Experian IdentityWorks. The former universal activation code (JCZGTC333) may no longer be used for new activations.

As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks.

Individuals who are eligible for free credit monitoring are:

  • Employees (current and former) and their dependents;
  • Retirees and beneficiaries;
  • Current students; and
  • Participants in the UC Outreach Program.

If you fall into one of these categories but did not receive an individual code, please call our dedicated call center at 1-866-904-6220 for assistance.

You have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert displayed on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. You may contact any of the three nationwide credit bureaus – Equifax, Experian, and TransUnion – to request a fraud alert. Once you place an alert with one of the bureaus, that bureau will send your request to the other two.

A security freeze will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. 

However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. 

Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Contact the three major credit bureaus directly to place a security freeze on your credit file. 

Fraud alerts can be placed on your credit reports for free, and there are two different types:

  • An initial (one-year) fraud alert can be placed if you believe you are, or may become, a victim of fraud or identity theft. The fraud alert lasts for one year. If you want to keep it active on your credit reports, you'll need to renew it after that time. When you or someone else attempts to open an account in your name or attempts to make changes on an existing account, such as increasing the credit limit, the lender or creditor must take reasonable steps to confirm you are who you say you are, such as through contacting you by phone at a number you provide, before completing the request.

Placing an initial fraud alert also allows you to request a free copy of your credit reports every 12 months from the three nationwide credit bureaus, in addition to the one free copy from each credit bureau you're entitled to under the Fair Credit Reporting Act

  • An extended fraud alert can be placed if you are a victim of fraud or identity theft. It requires a copy of a valid police or law enforcement agency report or a Federal Trade Commission Identity Theft Report. An extended fraud alert is similar to an initial fraud alert but lasts for seven years. With an extended fraud alert, a lender or creditor is required to verify your identity in person or by phone at a number you provide before opening new accounts or making changes to existing accounts.

A Social Security number is required to sign up for credit monitoring. Adults without a Social Security number are eligible for Experian IdentityWorks Global. You may call Experian at 1-866-904-6220; and an Experian representative working on behalf of the University will assist you. 

Yes. The credit monitoring agencies recommend that you should check your credit report at least once a year, if not more often, as part of your normal financial management practices. Some individuals prefer checking their credit scores monthly or even weekly. You can check your credit score as frequently as you’d like without impacting your score.

You can order your credit reports for free from all three credit bureaus once a year. You can do this online at www.annualcreditreport.com or by phone at 1-866-322-8228. Normally, you can get a free copy of your credit report from each bureau once every 12 months at AnnualCreditReport.com. Through April 2022, however, you can request a free copy of your credit report every week.

Individuals eligible for credit monitoring and identity theft protection services were notified between May 12-14, 2021. An activation code is contained in the email to sign up for Experian IdentityWorks. The former universal activation code (JCZGTC333) may no longer be used for new activations.

As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks.

If you have already signed up for Experian IdentityWorks using the former universal activation code, there is no need to sign up again.

No. If you have already signed up for free credit monitoring using the previous code, no additional steps are necessary.

If you previously registered for Experian IdentityWorks and received an alert, that is evidence the monitoring service is working. The Experian member portal offers information about what you can do to protect yourself.  

Experian advises people to take different steps, depending on what kind of information was exposed.

a. My email address is compromised; what should I do next?

  • Consider changing the password to your email and to any other accounts that use your email address as a username. Use a strong password and avoid reusing passwords across multiple sites.
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on your bank and credit card accounts for unfamiliar transactions.
b. My phone number was compromised; what should I do next?
  • Watch for suspicious calls and contact your phone provider if these noticeably increase.
  • Add your name to the national Do Not Call list.
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on your bank and credit card accounts for unfamiliar transactions.

c. My driver's license was compromised; what should I do next?

  • Contact your local Department of Motor Vehicles (DMV).
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on your bank and credit card accounts for unfamiliar transactions.

 d. My medical ID was compromised; what should I do next?

  • Contact your medical care provider to report activity and verify that there have not been any fraudulent claims opened.
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on your medical insurance accounts, as well as your bank and credit card accounts, for unfamiliar transactions.

e. My debit, credit or retail card was compromised; what should I do next?

  • Review the account transaction history closely for unfamiliar charges.
  • If you detect unfamiliar charges or other suspicious activity, contact your financial institution to cancel your card and / or report it as stolen.
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on other bank and credit card accounts for unfamiliar transactions.

 f. My passport was compromised; what should I do next?

  • Contact the U.S. Passport office (or your representative Embassy or Consulate if your passport is from a different country).
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.

 g. My bank account was compromised; what should I do next?

  • Review the account transaction history closely for unfamiliar charges.
  • If you detect unfamiliar charges or other suspicious activity, contact your financial institution and close your bank card / account.
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on other bank and credit card accounts for unfamiliar transactions.

 h. My international bank account number (IBAN) was compromised; what should I do next?

  • Review the account transaction history closely for unfamiliar charges.
  • If you detect unfamiliar charges or other suspicious activity, contact your financial institution and close your bank card / account.
  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on other bank and credit card accounts for unfamiliar transactions.

 i. My National ID number was compromised; what should I do next?

  • Review your credit reports from all three bureaus (Experian, Equifax and TransUnion) for new activity.
  • As a precaution, keep an eye on your bank and credit card accounts for unfamiliar transactions.

 j. I received a breached company name in my Experian Internet Surveillance notification.

This is the potential company or website from where the internet compromise originated. Hackers, when sharing stolen data on the dark web, will sometimes provide the name of the company or website from where the information was breached. In this situation, you may see a reference to UC.

If you don't recognize the breached company as one with which you have a relationship, note that it may be a third-party organization that interfaces with a company with which you’ve done business. A hypothetical example could be if your information was exposed during the breach of a payment processor that partners with a commercial airline from which you've purchased tickets.

k. A new inquiry alert was detected; what should I do next?

If you recognize or authorized this activity, no action is required. If not, here is some more information that may help.

If you're still certain that you didn't authorize this activity, there are steps that you can take:

  • Contact the creditor – this may clear up what's happening.
  • Review your credit report for new activity.
  • Dispute the account information on your credit report.
l. A new account or new trade alert was detected; what should I do next?

If you recognize or authorized this activity, no action is required. If not, here is some more information that may help.

If you're still certain that you didn't authorize this activity, there are steps that you can take:

  • Contact the creditor – this may clear up what's happening.
  • Review your credit report for new activity.
  • Dispute the account information on your credit report.
m. I don't recognize the company in my credit alert.

If you’re not sure if you initiated the activity on your alert, here's some information that may help:

Did you recently apply for a credit application or open a new account? Here are some companies you may see in your alert that may not be familiar on first glance:

  • JPMCB (aka JP Morgan Chase Bank)
  • CBNA (aka Citibank)
  • CapOne (aka CapitalOne)
  • FNBO (aka First National Bank of Omaha)
  • TBH (aka The Home Depot)
  • Synchrony Bank – Credit and loan provider that typically works with major retailers.
  • Credco – This is a third-party reporting agency. Often, mortgage companies, financial institutions and dealerships will contact this type of reporting agency to obtain a three-bureau credit score.
  • Ally – Ally Bank is a credit and loan provider that typically works with major retailers in several industries, such as auto financing, equity sponsors and corporate finance.
n. I applied for credit, but have not received an alert.

Most lenders report account activity within 30 days, but some can take as long as 90 days. Also, some smaller creditors may only report to one or two of the three nationwide consumer reporting agencies – Equifax, Experian and TransUnion. If your creditor doesn't report to all three, then you will not receive an alert from all three for the same activity.

o. Why did I receive more than one alert for the same loan application?

Here are some common reasons that you will receive multiple alerts for the same loan application:

  • If the loan was approved and the lender opened an account in your name, you will receive an alert for the initial credit report inquiry to process your application; you will also receive an alert for the account being opened.
  • If the lender reported your account to all three of the major credit bureaus – Experian, Equifax and TransUnion – you may receive an alert from each bureau.

Between May 12-14, 2021, eligible community members were sent an email with a unique activation code. The former universal activation code (JCZGTC333) may no longer be used for new activations.

As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks. 

If you have already signed up for Experian IdentityWorks using the former universal activation code, there is no need to sign up again. 

Experian® is one of the three credit bureaus in the U.S. See Experian’s approach to privacy.

Individuals eligible for credit monitoring and identity theft protection services were notified between May 12-14, 2021. As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks.

 An activation code is contained in the letter or email to sign up for Experian IdentityWorks.

Individuals who are eligible for free credit monitoring are:

  • Employees (current and former) and their dependents;
  • Retirees and beneficiaries;
  • Current students; and
  • Participants in the UC Outreach Program.

Please check your emails between June 30 and July 1, 2021, for an email from Experian. Please also check your spam folder.  

As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and an activation code is contained in the letter or email to sign up for Experian.

Individuals who are eligible for free credit monitoring are:

  • Employees (current and former) and their dependents;
  • Retirees and beneficiaries;
  • Current students; and
  • Participants in the UC Outreach Program.

If you fall into one of these categories but did not receive an individual code, please call our dedicated call center at 1-866-904-6220 for assistance.

  • I do not have a credit file
  • I do not live in the United States
  • I do not have a Social Security Number

A credit file (commonly known as credit history), U.S. address, and Social security number are necessary for credit monitoring. Individuals who do not have a credit history may enroll in Experian’s Identity Product which includes Internet Surveillance, $1M identity theft insurance and full-service identity restoration.

If you are eligible, you may register for Experian’s Identity Product using the activation code found in your individual notification sent between May 12 and May 14, 2021. As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks.

An Experian representative will be happy to answer any questions you might have and may be reached at 1-866-904-6220.

A credit file, commonly known as credit history, is necessary for credit monitoring. Individuals who do not have a credit history may enroll in Experian’s Identity Product which includes Internet Surveillance, $1M identity theft insurance and full-service identity restoration.

If you are eligible, you may register for Experian’s Identity Product using the activation code found in your individual notification sent between May 12 and May 14, 2021. As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks.

An Experian representative will be happy to answer any questions you might have and may be reached at 1-866-904-6220.

Authentication is the process of determining whether someone or something is, in fact, who or what they declare to be. Multifactor authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification).

Other/ UC support and resources

It is not necessary to notify the University about affected data from the Accellion event.

The University is working to identify the community members whose information was impacted. These investigations take time, and the University is working deliberately, while taking care to provide accurate information as quickly as it can. By mid-July, the University expects to send appropriate individual notifications through Experian to those whose current contact information is available to the University.

There is no evidence to suggest log-in credentials were compromised. In any event, it is a best practice to regularly change your passwords.

We ask that University community members remain vigilant against threats of identity theft or fraud. Additionally, it is always a good idea to be on alert for “phishing” emails or phone calls by someone who acts like they know you or are part of a company that you may do business with, and requests sensitive information, such as passwords, Social Security numbers, or financial account information. You may report suspected phishing or social engineering attempts to the following email addresses depending upon your campus: 

We also recommend that you rotate passwords and use multifactor authentication for your online accounts when offered.

Certain student IDs were affected. As of June 30 and July 1, 2021, the University sent the appropriate individual notifications via Experian. This notice contains information on the impacted data.

UC community members are being notified via USPS mail where current physical addresses are available. If the University does not have a physical address, but does have an email address, it will send the notification via email. These notifications also included credit monitoring and identity theft protection activation codes for Experian IdentityWorks.

There are several mental and emotional health support and safety planning resources available across the University community:  

  • Faculty & Staff Assistance Program– Each campus, medical center, and national laboratory within the University administers its own faculty and staff assistance program (sometimes called an Employee Assistance Program). Assistance programs offer free, confidential resources for emotional health, often available right on campus, with easy access to short-term counseling, assessment, and referral. For more information on assistance programs available at specific UC locations, click here.  
  • CARE– For survivors of sexual violence, intimate partner violence, or stalking, please contact a UC CARE Advocate for confidential, compassionate support and safety planning. For more information about your campus CARE office, click here. If you’re in danger or need help now, call 9-1-1.   

If you need support beyond the UC community, these offices can also provide information about potential local resources that are available.  

A Social Security number is required to sign-up for credit monitoring. Adults without a Social Security number are eligible for Experian IdentityWorks Global. The activation code in individual notifications sent between May 12 - May 14 and June 30 - July 1, 2021, also works for Experian IdentityWorks Global.

The University has arranged for a dedicated call center through Experian. An Experian representative will be happy to answer any questions you might have about the event or the University’s response. Those representatives may be reached at 1-866-904-6220.

Questions about this incident may be sent to communications@ucop.edu.

Questions about UCUES and applicant information

The University of California Undergraduate Experience Survey (UCUES) solicits student opinions on a broad range of academic and co-curricular experiences, including instruction, advising and student services. UCUES provides information about student attitudes and behaviors including time use, academic engagement and community involvement. It assesses attitudes towards many different aspects of campus life including academic advising, campus climate, courses & instruction, and interaction with faculty. It documents students' self-perceptions and goals, political beliefs, and perceptions of the role of the research university. It also collects background demographic information, such as first language, family immigration background and social class.

UCUES has been used extensively to guide the University on improving the undergraduate experience. Campuses also use UCUES to report on the quality of their academic programs to their academic senates. Some campuses have used UCUES data in their WASC accreditation self-studies. Other campuses, as well as the Council of Vice-Chancellors of Student Affairs, use UCUES to evaluate the quality and use of their student services. A number of campuses have used UCUES to report on campus climate and the impact of diversity on students' educational experiences.

UCUES data and results have been used in UC’s Annual Accountability Reports, UC Budget for Current Operations, and to inform regents' committees, such as the Long-Range Guidance Team, the Diversity Study Group, and Student Basic Needs Committee.

We have not identified any other impacted surveys.

The impacted information includes participants’ full survey responses, which potentially include your name; email address; student ID; background and personal characteristics; academic engagement; educational experiences; personal development and mental health; the campus climate for diversity and inclusiveness; sexual misconduct situations; student life; and food and housing security, if you provided this information in response to the survey. A sample list of the questions from the survey can be found here.

The University used the Accellion FTA to transfer large files such as the survey results.  Unfortunately, perpetrators exploited a vulnerability in the application and attacked over 100 organizations including universities, government agencies, and private companies. When the University discovered the issue, we took the system offline and patched the Accellion vulnerability. We are in the process of transitioning to a more secure solution. The University cooperated with the FBI and worked with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted, and to whom the data belongs.

When the University discovered the issue, it took the Accellion FTA offline and patched the vulnerability. There is no evidence that other University systems were impacted. The University is in the process of transitioning to a new file transfer system with enhanced security controls, deploying additional system monitoring broadly throughout its network, conducting a security health check of certain systems, and enhancing security controls, processes, and procedures.

When the University discovered that student responses gathered in the 2020 University of California Undergraduate Experiences Survey (UCUES) were, unfortunately, part of the data in the Accellion FTA at the time of the cyberattack and posted to the internet, it began reviewing the policies and procedures surrounding the biennial survey to better protect the personal data and privacy of the UC community. That process to strengthen these policies and procedures is ongoing.

There are several mental and emotional health support and safety resources available across the University community:  

  • Counseling & Psychological Services– Confidential mental and emotional health support is available for students through the appropriate counseling and psychological services office (sometimes called CAPS) for your campus:  
  • Faculty & Staff Assistance Program– Each campus, medical center, and national laboratory within the University administers its own faculty and staff assistance program (sometimes called an Employee Assistance Program). Assistance programs offer free, confidential resources for emotional health, often available right on campus, with easy access to short-term counseling, assessment, and referral. For more information on assistance programs available at specific UC locations, click here
  • CARE– For survivors of sexual violence, intimate partner violence, or stalking, please contact a UC CARE Advocate for confidential, compassionate support and safety planning. For more information about your campus CARE office, click here. If you’re in danger or need help now, call 9-1-1.  

If you need support beyond the UC community, these offices can also provide information about potential local resources that are available.  

The contact information for individuals who started or completed the application process for the University of California for the 2021 – 2022 school year were impacted. That contact information is limited to names, email addresses, and phone numbers.

The University is separately notifying these individuals, and their notification will contain information on what precautions they may take.

Information from submitted applications for the University of California for the 2020-2021 school year were impacted. This information could include date of birth, gender identity, family household income level, ethnicity and/or tribal affiliation and first language, sexual orientation, academic information (GPA, test scores), and whether you have received foster care.

The University is separately notifying these individuals, and their notification contains information on what precautions they may take.

The University is separately notifying 2020-2021 and 2021-2022 student applicants. Their notification contains information on what precautions they may take. 

We ask that University community members remain vigilant against threats of identity theft or fraud.  Additionally, it is always a good idea to be on alert for “phishing” emails or phone calls by someone who acts like they know you or are part of a company that you may do business with, and requests sensitive information, such as passwords, Social Security numbers, or financial account information. You may report suspected phishing or social engineering attempts to communications@ucop.edu, or the following email addresses depending upon your campus:

We also recommend that you rotate passwords and use multifactor authentication for your online accounts when offered.