Some UCLA students and prospective University of California students expressed uncertainty in the UC’s ability to protect their personal information following a nationwide cybersecurity attack.
Hackers stole information from around 100 organizations including universities, government institutions and private companies, along with the UC by exploiting a vulnerability in file transfer company Accellion’s product called the Accellion File Transfer Appliance, UC officials announced in a press release Friday.
The stolen information could include names, addresses, Social Security numbers and bank account information of UC employees, retirees, dependents and families of UC community members, according to the UC Net website.
The hackers are asking for money, according to the UC press release. The UC declined to comment further.
[Related: Nationwide cyberattack targets personal information of some in UC community]
Molly Abroms, a first-year human biology and society student, said she is afraid her information could have been stolen, at least because the UC did not specify who was affected.
The UC did not do much to help besides telling the community to sign up for free credit monitoring and identity theft protection, Abroms said.
“It seemed kind of confusing to me,” Abroms said. “I feel like on their end, they should be protecting our accounts and stuff first before we have to go out and seek different resources for that.”
Noah Lopez, a senior from Escondido Charter High School, received an email from the hackers saying his information was compromised after he applied to UC schools in the fall.
“I didn’t really think much of it (the email) … when I clicked on the link I saw social security numbers,” Lopez said. “I was really starting to get worried because I realized that this is something, could be something way bigger.”
Lopez said he still has not received any updates from the UC besides seeing the UC’s statements in the news. He added that he feels the UC is not being clear enough with the general public about the nature of the cyberattacks and what information could be compromised.
Peter Reiher, a UCLA computer science adjunct professor, said Accellion was aware of problems with the FTA product in December. However, that does not mean the UC Office of the President was aware of problems occurring, he said.
According to an Accellion press release from March, the company hired FireEye Mandiant, a cybersecurity forensics firm, to investigate the cyberattacks that happened in December 2020 and January 2021 and to review Accellion’s software for other security vulnerabilities.
The attackers exploited multiple vulnerabilities in Accellion’s FTA, according to FireEye Mandiant. Several organizations began receiving extortion emails threatening to publish stolen data on the dark web as early as January 2021, according to FireEye Mandiant.
The FTA product was supposed to be retired soon and Accellion may have not paid as much attention or upgraded it, Reiher said.
Accellion announced in February that it will end the FTA software by April 30.
The UC is conducting a review of security controls for systems handling sensitive data and will be implementing additional security measures to prevent similar attacks in the future, according to the UC Net website.
It is also working with local and federal law enforcement and third-party vendors to assess compromised information and limit the release of stolen information, according to a UC Net press release April 2.
The UC is offering the entire UC community a free year of credit monitoring and identity theft protection through Experian IdentityWorks, according to the press release. The release also recommended the community not engage with suspicious emails and set up fraud alerts for bank accounts and credit files.
UCOP established a dedicated email account where people can ask further questions to [email protected] and UCLA community members can report suspicious activity to [email protected], a UCLA campus-wide email stated.
If you have given any information over the internet, the safest thing to do is assume that somebody has stolen it, Reiher said.
“Essentially, from that perspective, you just need to always be careful,” Reiher said, “To some degree, it almost doesn’t matter if you go to new websites, legitimate websites and provide new information because you’re probably providing the same information somebody (has) already stolen.”