Their announcement:
UC Berkeley officials announced today (Thursday, April 30) that they are sending alert notices to current students and other individuals regarding a computer data breach that may have resulted in unauthorized access to their Social Security numbers or other personal information.
There is no evidence that such information has actually been used, but officials are notifying individuals in accordance with California law and so that they can be alert to signs of any possible misuse of their information.
The data breach involved unauthorized access to a campus Web server maintained by a unit within UC Berkeley’s Division of Equity and Inclusion. The server was used to store information including family financial information submitted by students. This included documents containing Social Security and bank account numbers.
Officials sent letters to all affected individuals on April 30. This included about 260 undergraduate students and some former students, as well as about 290 parents and other individuals, generally family members of the notified students. Current students also received emails, sent April 30. Paul Rivers, UC Berkeley’s interim chief security officer, emphasized that the campus regrets that this occurred and will be offering those individuals free credit monitoring for a year. They also will receive a resource list to aid them in checking for possible suspicious activity on their accounts.
When campus officials learned of the breach on March 14 they immediately removed the server from the network so that it could no longer be accessed. A digital forensics firm was brought in to investigate the matter and determine whether any personally identifiable information was compromised. Once the firm completed that work and confirmed the names of all impacted individuals, the letters were sent.
The investigation revealed that the unauthorized access first occurred in December 2014 and that an additional, separate, unauthorized access occurred in February 2015.