UC Data Breach

A number of retirees have received notices from the University of California (UC) about an “Accellion Data Breach”. This seems to most directly affect retirees who receive their pensions from UC. More information is on the UCnet website (ucnet.universityofcalifornia.edu/ and click on a topic related to “Update”)

What does this notice mean?

If your pension is from UC, your personal information, as well as that of your spouse and survivors, has likely been part of this data breach. The information that was breached may include: name, address, phone number, birth date, Social Security number, and bank account information. This information is exactly what is needed to carry out Identity Theft. UC believes that the everyone in the UC community (Staff, Students, Retirees, and affiliates) may be affected, and it may be difficult, or impossible, to identify each person who has had their information breached. In addition to UC, about 100 other organizations have been affected by a similar vulnerability.

As far as we know now, the personal information of non-UC retirees (CalPERS, and LANS/Triad) is not part of this data breach. Nevertheless, research is continuing and more people may be found to be affected.    

What to do?

You should read the steps UC recommends to protect yourself on their Update and FAQ pages. Before signing up for the credit monitoring and identity theft protection UC is offering, however, you may want to check whether you already have these if you signed up for them as a result of the OPM (the Office of Personnel Management) data breach in 2015. A drawback of credit monitoring, however, is that you will only be notified you after an account has been opened in your name. Putting a fraud alert on your that credit report is another way to reduce potential damage. Drawbacks to a fraud alert are that: it only lasts a year, and then must be put on again; and the effectiveness of a fraud alert relies on a person at the credit granting organization taking extra steps to verify your identity. There is a third option to protect yourself: putting a “freeze” on your credit report. Doing this can keep a bogus account from being opened without your knowledge. If you are not familiar with what a credit freeze is, you can get a lot more information from the webpages of the Federal Trade Commission (FTC, at www.consumer.ftc.gov) and searching for credit freeze. Putting a freeze on your credit report takes a bit more work, since you have to arrange for it with each credit reporting organization. And, if you want to apply for a loan or new credit card, you have to “unfreeze” your credit report then re-freeze it afterward. You can place or remove a credit freeze online or by telephone, and it no longer costs anything to do. Though more work, a credit freeze can provide better protection for your credit and your identity. You should also pay attention to the transactions in your bank account to verify they are correct.

What NOT to do?

You should NOT respond to emails or phone calls that demand money to keep your personal information from being posted or otherwise publicized. If you are thinking about paying such a “ransom”, before you do, you may want to consider that a significant fraction of the hackers involved in previous data breaches have posted personal information even after a ransom was paid. The hackers have already broken the law, and have no particular obligation to honor their promise.