Skip to main content

2020-2021 Accellion Data Security Incident


view of UC San Diego campus from above

 

On December 24, 2020, the University of California’s Accellion file transfer appliance (FTA) was the target of an international attack. Visit UCnet’s Accellion Data Breach page for more.

Perpetrators exploited a vulnerability in the application and attacked over 100 organizations, including universities, government agencies, and private companies. In connection with the attack, certain University data was accessed without authorization. On March 29, 2021, the University identified that some of this data was posted on the Internet.

UCUES Data

On May 26, 2021, UCOP sent a follow-up message to students who responded to the 2020 University of California Undergraduate Experience Survey (UCUES) and, unfortunately, those survey results were on the Accellion FTA at the time of the cyberattack and posted to the internet by the threat actor.

Students’ full survey responses were impacted, which may have included name; email address; student ID; background and personal characteristics; academic engagement; educational experiences; personal development and mental health; the campus climate for diversity and inclusiveness; sexual misconduct situations; student life; and food and housing security, if this information was provided by students in response to the survey.

Frequently Asked Questions and Answers (FAQ)

What resources does UC San Diego have if I’m concerned about my physical, mental or emotional well-being?

Student Support Session: On Wednesday, June 2, 2021 at 5 p.m., UC San Diego will hold a group session for concerned students to discuss possible responses to finding out that others may have access to your information, as well as offer the opportunity to learn what additional support is available to students.

Please use the following link to register for the June 2 Data Breach Support Session via Zoom.

Counseling and Psychological Services (CAPS) is available 24/7 for students whose academic and interpersonal functioning might be impacted by notification of the breach. Counselors are available to help students process the personal impact of the breach in their lives. During business hours, please call 858-534-3755. After hours, call 858-534-3755; select option 2; and please indicate that you are calling about the recent data breach.

A list of resources available to all University of California community members, including emotional support resources and more information on how to protect yourself, can be found on UCnet's Accellion Data Breach page.

What is UCUES?

The University of California Undergraduate Experience Survey (UCUES) solicits student opinions on a broad range of academic and co-curricular experiences, including instruction, advising and student services. UCUES provides information about student attitudes and behaviors including time use, academic engagement and community involvement.

It assesses attitudes towards many different aspects of campus life including academic advising, campus climate, courses & instruction, and interaction with faculty. It documents students' self-perceptions and goals, political beliefs, and perceptions of the role of the research university. It also collects background demographic information, such as first language, family immigration background and social class.

Why does UC conduct the UCUES?

UCUES has been used extensively to guide the University on improving the undergraduate experience. Campuses also use UCUES to report on the quality of their academic programs to their academic senates. Some campuses have used UCUES data in their WASC accreditation self- studies.

Other campuses, as well as the Council of Vice-Chancellors of Student Affairs, use UCUES to evaluate the quality and use of their student services. A number of campuses have used UCUES to report on campus climate and the impact of diversity on students' educational experiences.

Was other survey data impacted by the Accellion FTA security event?

We have not identified any other impacted surveys.

What types of information from the UCUES survey were posted to the internet?

The impacted information includes participants’ full survey responses, which potentially include your name; email address; student ID; background and personal characteristics; academic engagement; educational experiences; personal development and mental health; the campus climate for diversity and inclusiveness; sexual misconduct situations; student life; and food and housing security, if you provided this information in response to the survey. A sample list of the questions from the survey can be found here.

How did this happen?

The University of California used the Accellion FTA to transfer large files such as the survey results. Unfortunately, perpetrators exploited a vulnerability in the application and attacked over 100 organizations including universities, government agencies and private companies. When the University discovered the issue, we took the system offline and patched the Accellion vulnerability. We are in the process of transitioning to a more secure solution. The University is cooperating with the FBI and working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted, and to whom the data belongs.

When the University discovered the issue, it took the Accellion FTA offline and patched the vulnerability. There is no evidence that other University systems were impacted. The University is in the process of transitioning to a new file transfer system with enhanced security controls, deploying additional system monitoring broadly throughout its network, conducting a security health check of certain systems, and enhancing security controls, processes, and procedures.

How does the University intend to protect the confidentiality of those that take the UCUES going forward?

When the University discovered that student responses gathered in the 2020 University of California Undergraduate Experiences Survey (UCUES) were, unfortunately, part of the data in the Accellion FTA at the time of the cyberattack and posted to the internet, it began reviewing the policies and procedures surrounding the biennial survey to better protect the personal data and privacy of the UC community. That process to strengthen these policies and procedures is ongoing.

How do I protect myself?

We ask that University community members remain vigilant against threats of identity theft or fraud. Additionally, it is always a good idea to be on alert for “phishing” emails or phone calls by someone who acts like they know you or are part of a company that you may do business with, and requests sensitive information, such as passwords, Social Security numbers, or financial account information.

Register for Experian IdentityWorks
If you were impacted by the data breach, you will have received a separate email from Experian with important information about signing up for this service, made available to you at no cost by the University.

For step-by-step help registering with Experian, please view this video tutorial (also available en Espanol).

Additional FAQs/Languages

Additional information is available on UCnet in English, Spanish, and Chinese.

Contact UCOP

Further questions from individuals in the University of California community may be directed to communications@ucop.edu.