Update 02/26/2016: This article has been updated to reflect additional information and interviews from campus officials and professors.
Campus officials are alerting nearly 80,000 current and former faculty, staff, students and vendors about a criminal cyber security breach on a campus system, making vulnerable thousands of Social Security or bank account numbers.
The data breach occurred Dec. 28 to a portion of Berkeley Financial System, or BFS, a software used by the campus for financial management.
“We don’t see any evidence that this is the kind of attacker that actually did access the data or did anything to take that data from the system,” said campus Chief Information Security Officer Paul Rivers in a phone press conference Friday.
The system that houses BFS is large and complicated, Rivers said, containing numerous machines and various types of software packages. When the campus detected a vulnerability in one of these areas in November, the campus began installing and testing a security fix — known as a patch — which can take weeks, Rivers said during the press call. During this process, attackers were able to discover a security flaw and gained access to the system.
BFS contains the information of about 50 percent of current students and 65 percent of active employees. Affected individuals largely include students, faculty and staff who received payments from the campus, mainly through electronic fund transfers. Those who received paper payments, however, may have also been affected.
A private computer investigation firm was retained by the campus to further determine whether personal information was compromised. The campus will send notice letters in the mail with more information about free credit monitoring and insurance to those who were potentially impacted starting Friday.
According to Rivers, this is the third significant breach UC Berkeley has seen in the past five years.
Within a day of the unauthorized intrusion Dec. 28, the campus’s security team had detected and began efforts to contain the attack, according to campus spokesperson Janet Gilmore.
Once campus IT staff identified the unauthorized access, they forensically preserved copies of the system for investigation purposes and took affected servers offline for about two weeks to prevent further access. When the campus shut down BFS and supporting systems, some students received emails in early January notifying them of possible disruptions to financial aid disbursements.
Transparency about the breach should have been more immediate, said campus associate professor of practice of art Greg Niemeyer, considering the type of information compromised.
The campus has not been able to identify the perpetrators of the attack, according to Gilmore, although it has notified law enforcement agencies such as the FBI.
Campus computer science professor and computer security expert David Wagner said it is usually difficult to know the extent of the damage with many data breaches.
“Usually it means hackers got access to a system,” Wagner said. “They might have been able to copy the data, and we have no way of knowing what they’re going to do with the data if anything.”
Rivers noted during the call that the UC Office of the President’s recently implemented coordinated monitoring system was not used to detect this attack, as that device’s main purpose is to verify whether a similar attack is being perpetrated somewhere else in the UC system, rather than just at UC Berkeley.
“We had the coordinated monitoring turned on,” Niemeyer said, pointing out that it didn’t prevent the breach. “It decreased privacy but did not increase security.”
UC Berkeley has some of the best security measures of all the UC campuses, Wagner said. For this reason, he said, UCOP’s security monitoring has a limited effect.
“Berkeley’s defenses were already catching essentially everything (UCOP’s hardware) caught, so I’m not convinced the (UCOP) network monitoring is a good security measure,” Wagner said.
The attack should embolden campus officials to separate systems within the network and differentiate their security approaches, Niemeyer said.
The campus plans to work on how to reduce its “time to patch,” according to Rivers. Although staff spotted the defect in cybersecurity and began deploying the patch prior to the intrusion, the process can be very lengthy, Rivers said during the press call.
“We’re seeing more attacks. We’re going to have to respond in kind and be much more agile about getting patches in place,” Rivers said during the call, adding that campus cybersecurity analyzes thousands of patterns of suspicious or malicious network traffic on a daily basis.
“I don’t think you walk away from a breach like this and say it’s business as usual,” he said.
Contact Suhauna Hussain and Adrienne Shih at [email protected].