Opinion: UC data breach response needs better communication, long-term cybersecurity plan

College students and faculty have little choice but to trust their university with virtually all of their personal information.

Unfortunately, there isn’t a guarantee it will stay protected.

According to a University of California Office of the President press release, the UC’s Accellion file transfer appliance fell victim to an international attack on Dec. 24, whereby perpetrators gained access to information from students, faculty and alumni. While the investigation is still ongoing, the personal information of several UC community members has been released on the dark web, including email addresses, driver’s license information and even social security numbers.

The University identified the breach March 29 and notified the community shortly after.

Now, the UC is offering community members one year of free credit monitoring and identity theft protection service through Experian IdentityWorks. Students and faculty are encouraged to sign up, and the University is still working on notifying those whose personal information was accessed.

Despite the handful of emails the University has sent, it’s questionable if students and faculty are fully aware of what happened or whether their information was leaked online. An incident of this magnitude necessitates an aggressive response from University officials and a firm commitment to protecting people’s private information.

The UC community deserves nothing less.

A major problem with the University’s communication has been that some community members do not fully understand the details of the breach.

“They were pretty vague emails,” said Iris Zietlow, a first-year theater student. “I don’t feel like it was really well communicated with what exactly was breached.”

Zietlow signed up for Experian upon finding out about the breach and learned that her email address had been released onto the dark web.

She was not the only student hit with this news.

Sachi Sengupta, a first-year neuroscience student, also found out her email address had been released on the dark web after signing up for Experian. Similarly, Sengupta was confused by the emails sent out by the UC and was unsure what to do after discovering her information was leaked.

“I don’t think (the UC) provided enough details just outlining why it happened (and) how it happened,” Sengupta . “How to act beyond just finding out that your information is stolen and solutions for that, I would like to know.”

According to a New York Times article about cybersecurity, if you find out your information is on the dark web, you should change your passwords, use two-factor authentication and check your credit reports for any unusual activity.

In addition to lacking clarity, these emails haven’t adequately reflected the gravity of the situation.

“(The UC) is so discreet about it,” said Shivika Sivakumar, a third-year computer science and politics student and president of the Student Union Assembly at UC Santa Cruz. “Data is the biggest currency right now. … Everything is revolving data, so I think it’s super important to start focusing on it.”

College students and staff deserve to feel safe when they provide their universities with necessary personal information. And when this information is compromised, they deserve to know exactly what risks they’re facing, immediately.

The Student Union Assembly at UCSC passed a resolution on May 18 calling on the UC to provide students and employees impacted by the breach with five years of free credit monitoring, instead of the original duration of only one year.

However, even if five years of free credit monitoring were approved, it is still not a guarantee that another breach won’t happen again. This is why it is imperative that UC works proactively and improves its information technology system security to protect community members from a potential breach down the line.

Sivakumar attended a meeting with the UC Office of the President to gain more information on the breach, but unfortunately, it wasn’t much help.

“They weren’t able to tell us much either, and that’s what frustrates me,” Sivakumar said. “Nobody knows what’s going on.”

If those in leadership positions can’t speak about the scope of the data breach themselves, it is impossible to expect students to understand it from a handful of verbose emails.

“This data breach is not students’ fault,” Sivakumar said. “We pay so much money into the University and if (it) can’t even protect our data or help us resolve that issue, it’s a huge hole in the system.”

UC published an update on the breach April 2 stating that it is working closely with law enforcement as well as third-party vendors to further assess the breach and prevent any more information from being compromised. The statement included that the privacy of all community members is a top priority for the UC.

While it is impossible to expect the UC system to be immune to every cyberattack, such a highly regarded institution should have a plan on how to prevent these attacks in the future. Moreover, it should have the means to effectively communicate potential threats to its students. While an investigation into the incident is commendable, a commitment to protecting the information of students and faculty requires more long-term planning.

Moving forward, the University is continuing to notify affected individuals and transitioning to a new, enhanced file transfer system. But it can do more.

Beyond offering individual students free credit monitoring, the UC must take preventative measures on a large scale. It’s essential that the University continues to work closely with major cybersecurity organizations for the long haul and formulates a sound cybersecurity response plan.

Such a significant threat needs to be clearly communicated to the UC community, who must be informed of how to move forward to ensure their own long-term security.

Without this, students and faculty simply won’t feel safe trusting the University with their personal information.