LOS ANGELES — The University of California is warning its students and staff that a ransomware group might have stolen and published their personal data and that of hundreds of other schools, government agencies, and companies nationwide.
A cybersecurity attack targeted a vulnerability in Accellion, a third-party vendor used to securely transfer files, the university said in a Wednesday statement.
“We understand those behind this attack have published online screenshots of personal information, and we will notify members of the UC community if we believe their data was leaked in this manner,” the university said.
The hacker or hackers also have been sending threatening mass emails threatening to publish data “in an attempt to scare people into giving them money,” the statement said.
In an update Friday, the university system said the cyberattack affected about 300 organizations, “including universities, government institutions, and private companies.”
Other schools, including Stanford University’s School of Medicine and Yeshiva University in New York City, have reported that student and employee Social Security numbers and financial information were stolen and that some were posted online.
The information was obtained in December and January when hackers exploited a 20-year-old Accellion file transfer service vulnerability, various reports have said. However, some organizations said they only recently became aware of the breach.
The Baltimore Sun on Thursday reported that private information of staff members and students at the University of Maryland, Baltimore, was posted online this week. The school said a hacking group known as Clop gained access to Accellion in December, the Sun said.
The University of Colorado and Miami reported that files were accessed in January and included personal data and health, study, and research data. Last month, the Washington State Auditor’s Office said that information on nearly 1.5 million unemployment applicants had been stolen.