UC Berkeley officials are investigating a data breach that affected a system that contained personal data including social security numbers and bank information of more than 80,000 students, employees and alumni. No evidence exists that shows anyone accessed or used any of the information but Berkley continues the investigation. The data breach occurred in December but was made public on Friday.
The breach occurred when an unauthorized person accessed computers that are part of Berkeley’s Financial System through a security flaw. The “security flaw” is currently in the process of being patched. The university uses Berkeley Financial System for purchasing and most non-salary payments, school official said in a statement. Investigators who were looking into the breach collected names and contact information for people at-risk and started sending out notice letters Friday containing credit protection services.
We (looked) at all the available evidence of what the attackers did, and as we looked at that, we don’t see any evidence that these are the kinds of attackers that did access the data, or did anything to take that data,” Paul Rivers, UC Berkeley’s chief information security officer, told reporters, according to SF Gate.
The SF Gate reported this cyberattack is the third-largest breach affecting the school in years and shows how difficult it is to protect academic institutions. Rivers said part of the difficulty with protecting the school is the fact officials can’t close if a major breach happens. He said he can’t treat network security on campus like it was a bank or tech company. The FBI was notified of the hack and are currently investigating it.
On Friday, the university began sending letters to those affected by the breach, suggesting they be “alert to signs of any possible misuse of their information.” It also offered them a year of free credit-monitoring services. It’s unclear exactly how much those services might cost UC Berkeley.
The incident offers a window into how the university handles such situations. The action that led to the breach, patching complicated software, is a process that can take weeks to test and install properly. The campus data security chief is wary of how much he says publicly, fearing tipping off others who might attack campus computer systems.