Financial system breached at UC Berkeley campus, exposing 80K records

San Francisco's UC Berkeley has been hit with a breach and the 80,000 records have been exposed

UC Berkeley has experienced a data breach for the second time in about a year. This time, the records of about 80K individuals were exposed.
UC Berkeley has experienced a data breach for the second time in about a year. This time, the records of about 80K individuals were exposed.

The University of California, Berkeley, is in damage-control mode after discovering that cyber-attackers recently breached a system containing the Social Security and bank account numbers of approximately 80,000 students, faculty members and vendors.

In a news bulletin posted late last week on UC Berkeley's website, the university acknowledged that in December 2015 an unauthorized party exploited a security flaw in order to access portions of computers that are part of the Berkeley Financial System (BFS), a financial management software application that the university uses for purchases and most non-salary payments.

In an email interview, Janet Gilmore, senior director of UC Berkeley's Office of Communications & Public Affairs, told SCMagazine.com that the perpetrators gained unauthorized access into the system on Dec. 28, 2015. Within 24 hours the university discovered the breach and took measures to mitigate the damage, including removing all potentially impacted servers from the network so there could be no further access.

“The hacker/s gained entry due to a defect into the commercial software that UC Berkeley uses for its financial system,” Gilmore explained.

The university was previously aware of the vulnerability and was in the midst of fixing it when the attackers struck. The university became aware of the "defect in mid-November 2015 and from that point on, the process began of acquiring the appropriate patch, installing and testing it,” said Gilmore. “Our IT officials were in the process of patching the system when the breach occurred. Completion of the server patch occurred in early January.”

Tod Beardsley, lead security researcher at cyber-security solution provider Rapid7, told SC that the UC Berkeley breach “illustrates many of the challenges that… higher education networks face: a cultural resistance to limiting access across the network, combined with a potpourri of disparate network application vendors, each with differing security levels.”

The university's official announcement states, “The campus has no evidence that any unauthorized individual actually accessed, acquired or used any personal information.” 

Gilmore elaborated to SC that this statement was based on a nearly two-month investigation conducted by campus IT officials and an outside data forensics firm.

The university contacted the FBI and notified all affected individuals, offering them credit protection services and identity theft insurance out of what Gilmore described as “an abundance of caution.”

The breakdown of victims includes approximately 50 percent of the current student roster and 65 percent of active employees at the campus. The 80,000 affected individuals include about 57,000 current and former students, approximately 18,800 current and former employees (including student workers), and about 10,300 vendors who conduct business with the campus. (These figures add up to more than 80,000 due to duplication of names between categories.)

“The security and privacy of the personal information provided to the university is of great importance to us,” Paul Rivers, UC Berkeley's CISO, said in the university's official announcement. “We regret that this occurred and have taken additional measures to better safeguard that information.”

UC Berkeley suffered a previous data breach in December 2014 and February 2015, when an unauthorized party accessed a web server maintained by the university's Division of Equity and Inclusion. In this case, the breach was considerably smaller, with about 550 parties having their family financial information exposed, including SSN and bank account numbers. SC previously reported on other breaches at UC Berkeley in 2014 and 2009.

Colleges and universities tend to store vast amounts of personal data, yet often lack the necessary IT security budget to protect that data, said Jason Hart, CTO, data protection at digital security firm Gemalto, in an interview with SC.

Hart said universities must “adopt a data-centric view of digital threats, starting with better identity and access control techniques, such as multi-factor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen, it is useless to the thieves.”