Pages

Friday, April 9, 2021

Radio Silence on Accellion Breach - Part 3

As noted in Part 2 of this series,* we continue to get information about the Accellion breach, but it is mainly focused on what WE should do or not do, and not on what UC is doing. The latest missive was last night and is reproduced below from an email circulated yesterday.

Dear Bruin Community:
Continuing our commitment to share the latest information and resources with you about the data breach affecting the UC community, we wanted to share a new set of Frequently Asked Questions from the University of California Office of the President, which is also available in Spanish (PDF). We also urge you to sign up for free credit monitoring and identity theft protection through UC, if you have not already done so.
Please also remember that members of the UC community can email questions to communications@ucop.edu. We also remind you to report any suspicious email that is not from a recognized UCOP or UCLA address or any suspicious phone calls to security@ucla.edu.
We will continue to keep you updated and thank you for your attention on this important matter.
Sincerely,
Michael J. Beck
Administrative Vice Chancellor
UCLA Cyber-Risk Responsible Executive
===
If you go to the frequently asked questions referenced above, among them is one about who is liable:

I hold UC responsible for allowing my information to be exposed in this attack. What is UC is doing now to ensure my information is protected?


UC is reviewing security controls for centralized systems handling sensitive data, and is considering enhancements to its security program and controls. We are also working with local and federal law enforcement and third-party experts to investigate this incident, to determine what happened, what data was impacted, and who that data may belong to.

Source: https://ucnet.universityofcalifornia.edu/data-security/updates-faq/accellion-faq.html#1_6

Note that the response deflects from the issue of UC liability. According to another source, lawsuits are being filed against Accellion and at least in one case by individual victims against a user of Accellion:

...As the number of victims continues to trickle in, the breadth and scope of the Accellion incident bears hallmark to the Blackbaud incident—highlighting the need for entities to review vendor management processes. In the incident's wake, Accellion is facing at least 14 separate lawsuits led by some of the largest victims, including Kroger, Centene, and Washington state, among others.

Patients filed a lawsuit against Kroger for the Accellion hack, as well. Some victims are seeking to merge the lawsuits into one class action suit...

Full story at https://healthitsecurity.com/news/586k-trinity-health-patients-added-to-accellion-tally-as-lawsuits-pile-up

Is UC suing Accellion? Are individuals suing UC in some kind of class action as above? 

===

*Prior postings: https://uclafacultyassociation.blogspot.com/2021/04/radio-silence-on-accellion-breach-part-2.html and https://uclafacultyassociation.blogspot.com/2021/04/radio-silence-on-accellion-breach.html.

No comments: