The University of California refuses to release public records pertaining to the December 2020 Accellion data hack.
The hack, which targeted a vulnerability in the Accellion file transfer appliance used by the UC, leaked personal information such as social security numbers and personal addresses of students, staff, faculty and applicants across the UC system.
In accordance with California’s Public Records Act (CPRA), the Nexus submitted a request to both the UC Office of the President (UCOP) and UC Santa Barbara CPRA offices on May 10, 2021, asking for the offices to provide any and all internal university communication that discusses or mentions the UC Accellion data breach. Both parties refused to comply with the request.
The UCOP CPRA office responded to the Nexus’ CPRA request on May 11 and declined to provide records.
The office cited exemptions that “disclosure of the record would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency” and that “the public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record.”
According to UCOP’s response, it is in the public interest to “protect the integrity of the University’s IT security systems and to protect against future efforts to gain access to systems” by withholding the data.
The UC first acknowledged the hack on March 31 in a memo released by the UCOP that stated that the UC, along with other institutions across the country, was subject to a cybersecurity attack targeting the Accellion file transfer appliance (FTA). Students were first directly notified of the data breach on April 2 in an email sent by UCOP to the UC-wide community.
Following the memo, the UC published and updated a page of frequently asked questions (FAQs) with answers regarding the data breach, informing students that personal information like social security numbers and addresses from students, staff, faculty and UC applicants had been exposed as a result of the Dec. 24 hack, and those whose information had been leaked were directly contacted on June 30 and July 1. Additionally, the data breach led to an FBI investigation and the Office of the President announced they were “transitioning to a more secure solution” regarding cybersecurity, the FAQ page stated.
These public statements from the university — the FAQs, the notice of breach and the emails sent to the UC community — are currently the only university-provided records regarding the hack.
Kelly Aviles, an open government and media attorney based in Southern California, disputed UCOP’s claim of public interest and the claim that disclosures of records would reveal vulnerabilities.
“I think they are exaggerating the security risk of disclosing information, and I think it’s really intended to keep from embarrassment about the breach to begin with,” Aviles said.
“It would be highly unlikely that you had a data breach and that any information you disclose about the data breach could create problems. They could disclose information about the data breach and what they’ve done to correct it without disclosing technical information that could pose that problem,” Aviles continued.
“All this information wasn’t disclosed before and they still have this problem, so it’s not like keeping things secret is the answer to preventing cyber [attacks].”
The Nexus replied to UCOP on May 24, disputing the public interest exemption and asking that the office provide the records, but narrowly redact any documents that contain sensitive information.
On May 28, Public Records Act (PRA)/Conflict of Interest (COI) Coordinator Dan Scannell responded to the Nexus, stating that both cited exemptions still applied as the university continues to “resolve the matter” and that due to the active FBI investigation, “the University is generally prohibited from disclosing certain records related to an ongoing federal investigation.”
However, Aviles says the latter exemption cannot be applied because the UC is not a law enforcement agency.
“CPRA differentiates between law enforcement agencies and what they can withhold and what non-law enforcement agencies can withhold when it comes to investigations,” Aviles said.
“[The requested information] may be relevant to the FBI investigation, but it is not their investigation. They’re doing an investigation to figure out what happened and how the data breach occurred, it’s not an investigation for legal prosecution purposes … I don’t think they’re correct in asserting that exemption.”
In the same email, Scannell said that “once the FBI investigation is completed and the IT security issues are resolved, additional records will then be disclosable” and said to submit a new request in several months. The UC has not yet communicated if the investigation is complete. The Nexus recently resubmitted the original CPRA request on Aug. 20 and has not yet received a response.
The Nexus filed a request to the UCSB PRA office on May 10 as well and received a response on May 13.
Monica Dussert, the paralegal coordinator for UCSB, declined to provide records, citing attorney-client privilege — an exemption protecting communication between attorney and client — and deliberative process privilege — an exemption protecting communication that would expose an agency’s decision-making process.
Aviles disputed the attorney-client privilege exemption, stating that some information may be protected under the exemption “but that doesn’t give them the right to withhold everything.” Records with privileged information can be redacted and produced, according to Aviles.
“It is their job to meet the burden of why documents are exempt from disclosure and the fact that I can’t confirm for you that [those documents fall under] attorney-client privilege means they really haven’t done their job,” Aviles said.
Additionally, Dussert’s response stated, “much of the internal university communication that discusses or mentions the UC Accellion data breach would be attorney-client privilege communication.”
CPRA law requires agencies to conduct a thorough search in response to a request, and though Dussert’s response acknowledged the existence of responsive records, she did not provide enough information to confirm that a thorough search had actually been conducted.
The Nexus responded to Dussert on May 24, asking for a number of responsive records to be provided to confirm that a thorough search had been completed, even if said records could not be released. Dussert responded a month later, saying that they “have conducted a review of files and determined that any responsive drafts, memos, and internal communications regarding the UC Accellion breach are exempt from disclosure on the basis that they fall under attorney/client privilege and/or they are part of the deliberative process.”
She did not provide the number of responsive records and deemed the records request closed.
Aviles maintains that the disclosure of these records, specifically regarding the root of the attack, is key in aiding the UC community and preventing future attacks.
“I don’t know how the attack occurred, [which is] part of the problem. Is there better employee training needed? Is there sufficient employee training going on? Those are the kinds of questions that would be answered by disclosure of this information,” Aviles said.
John Bambenek, president and chief forensic examiner of Bambenek Consulting, emphasized the dangers of the hack and noted that the effects may not take an immediate toll but may showcase themselves in several years, particularly for students who have their personal information leaked.
“If I’m a criminal, I don’t want to steal a college student’s identity. You don’t get big credit. But in 10 to 15 years, they have the same social security number, they get jobs and then I want to steal their identity,” Bambenek said.
The UC has offered one year of free credit monitoring and identity theft protection services through Experian, which Bambenek says is a “typical” response but does very little.
“People aren’t opening up lines of credit on random victims. Right now there’s lots of other stuff [criminals] can do that credit monitoring doesn’t provide any protection for.”
Bambenek said the most important move now is “being clear about what data was accessed by whom and giving an honest assessment about what that means for victims.”
According to the FAQs on the UCOP website, the UC is currently “in the process of transitioning to a new file transfer system with enhanced security controls,” but during their May meeting, the UC Regents chose to not increase expenditures in cybersecurity.
Aviles said the decision to not increase funding is hard to justify with such a glaring lack of context, and it’s for that very reason that the university needs to provide records on the incident.
“How would we know whether what they’ve invested is sufficient, when we can’t figure out where the failure was and why the failure arose the way … The public should have information about how they’re handling this, so that students, the public and people affected by this can have a say in what they do going forward,” Aviles said.