It’s almost finals week. I log into my MacBook to begin studying but instead, find my desktop completely wiped clean.
This incident took place the same week the University of California sent yet another round of emails alerting students of a cybersecurity attack that resulted in the personal information of current and former employees and their dependents, retirees and students being posted on the dark web – including my own email.
Because of that alert, I knew I was at risk and backed up my desktop onto a hard drive, so none of my valuable files were lost permanently.
Unfortunately, not everyone affected by the breach can say the same.
While students like myself were notified in mid-May, impacted members and applicants not currently enrolled or working at the UC weren’t notified of their compromised data until June 30 or July 1.
When it comes to sensitive personal data, the UC needs to address critical gaps in its breach prevention and response. It’s not enough for the University to notify affected parties – some of whom have never enrolled or worked for the UC – and expect them to find out whether their information was leaked. An event of this gravity should compel the University to adopt policies that ensure both short and long-term protection of its community members’ information.
Data breaches are inevitable in the 21st century. The UC needs to be prepared, but its response to this attack shows that it still has a long way to go.
The first round of emails stirred confusion in and outside the UC community, as it explicitly states students could be potentially impacted. But students would have to wait more than one month for the UC to confirm that their information was potentially leaked during the breach.
Those potentially or definitively affected are prompted to sign up with Experian IdentityWorks, a free credit monitoring and identity theft protection service offered by the UC for those eligible for up to a year. The subscription lets the user track personal information and sends email alerts of compromised information.
The UC also encourages everyone who believes their information is at risk to place a fraud alert or freeze on their credit file, set up multifactor authentication and change old passwords.
These recommendations are great, but after you’ve entrusted a highly regarded institution with your information, they seem lackluster, if not downright frustrating.
“Even if it only affected like 5% of the population, the UC employs or has historically employed such an insanely huge population,” said Tristen Appel-Bernstein, a fourth-year sociology student. “If it was a big enough problem for them to have to send out an email like that, they have a responsibility to do more.”
Instead of students waiting for answers to come, the UC should be more proactive.
A good first step would be to provide students with complimentary backup hard drives and malware security programs for their computers, which will allow students to be protected and equipped for future cyberattacks. An annual audit of the UC’s cybersecurity system could ensure the community the programs they use are secure and updated. Add in an enforced specialized training for IT staff to assist in the event of a cybersecurity threat, and the UC will be well on its way to protecting community members’ data.
The University also needs to do better for those who don’t work or aren’t enrolled at a UC campus.
Stephanie Hu, a current Vanderbilt University student and UC applicant for the 2019-2020 academic year, said that near the end of May, UC Berkeley notified her that the email from her application had been leaked onto the dark web; however, she did not receive any previous notices about the cyberattack.
“Current UC students (had) known for two months or something before that,” said Hu. “In those two months, how much of my information (had) been compromised or … (given) out to other people?”
Rashi Ranjan, a current student at the University of Pittsburgh and UC applicant for the 2019-2020 academic year, said she felt frustrated that UC applicants don’t have the same resources as students enrolled at a UC campus.
“All they have to do is give me and other fellow UC applicants the same credit protection that they gave other students,” said Ranjan.
And during a time when technology is necessary for schooling and work, resources such as credit monitoring can be critical to securing students’ information.
Kat Fox, a fourth-year sociology and American literature and culture student, said that she signed up with Experian and believes it’s important for students to hold institutions accountable.
“So many students are desensitized to information insecurity because of the assumption that their personal information was never watertight to begin with, in terms of all the institutional, educational, professional and social platforms that routinely abuse their privacy and information,” said Fox.
The UC data breach FAQ page states those eligible for Experian include applicants who were notified but neglected to mention whether those who applied for the 2019-2020 academic year or prior will receive free credit monitoring since the breach allegedly did not affect them.
The University is taking some steps, like increasing enhanced security controls, deploying additional system monitoring broadly throughout its network and enhancing security controls, processes and procedures, according to the FAQ page. It also conducted an investigation into the incident that included reconstructing impacted files.
Yet, despite the heightened security responses, students are still left to fend for themselves.
The UC Office of the President can do more to tackle future cyberattacks. Its lengthy investigation had impacted students waiting far too long.
And for some, time has already run out.