From the University of California – Berkeley:
UC Berkeley officials are sending alert notices to approximately 80,000 current and former faculty, staff, students and vendors following a criminal cyberattack on a system storing their Social Security or bank account numbers.
The campus has no evidence that any unauthorized individual actually accessed, acquired or used any personal information; however, it is informing those potentially impacted so they can be alert to signs of any possible misuse of their information and take advantage of credit protection services the campus is offering free of charge.
The attack occurred in late December 2015, when an unauthorized person or persons obtained access to portions of computers that are part of the Berkeley Financial System (BFS). These criminals gained entry through a security flaw that UC Berkeley was in the process of patching. Law enforcement, including the FBI, has been notified.
The BFS is a software application the campus uses for financial management, including purchasing and most non-salary payments. Those potentially impacted include about 57,000 current and former students; about 18,800 former and current employees, including student workers; and 10,300 vendors who do business with the campus. The numbers add up to more than 80,000 because individuals may belong to more than one category.
This is approximately 50 percent of current students and 65 percent of active employees.
Many of the potentially impacted individuals include students and staff who received payments from UC Berkeley through electronic fund transfers, although paper payments may have been made in some instances. For students, this often involved financial aid awards that they elected to receive by electronic fund transfer. For many faculty and staff, this involved reimbursements, such as work-related travel reimbursements. Vendors whose Social Security numbers or personal bank account numbers were in the system in order for payment to be issued are also potentially impacted.
“The security and privacy of the personal information provided to the university is of great importance to us,” said Paul Rivers, UC Berkeley’s chief information security officer. “We regret that this occurred and have taken additional measures to better safeguard that information.”
The campus is providing potentially impacted individuals with one year of free credit monitoring and identity theft insurance, along with resources to assist them in monitoring their accounts for any suspicious activity.
In today’s cyber security landscape, large, high-profile organizations such as leading universities are under near-constant attack. Systems set up by UC Berkeley officials routinely identify such hacking attempts. If such attacks do occur, campus officials quickly respond. In this case, campus IT officials learned of the potential unauthorized access to data within 24 hours of its occurrence and took prompt action.
They removed all potentially impacted servers from the network so that they could no longer be accessed. A computer investigation firm was retained to assist with the investigation and help determine whether any personally identifiable information was accessed without authorization.
The investigators completed compiling the names and contact information for those potentially impacted on Feb. 25 and notice letters with information about free credit monitoring, insurance and other resources went out to them starting on Feb. 26.
UPDATE: A template notification letter is now available online on the California Attorney General’s web site.