While 80,000 UC Berkeley Students and Staff Suffer Breach, Campus May Suffer Suit

• By Dian Schaffhauser
• 03/03/16

A data breach at the University of California Berkeley provided criminals with access to banking information and Social Security numbers belonging to about two-thirds of its current students and half of its employees, among others. The university has begun sending out notification of the security event to 80,000 current and former faculty, staff, students and vendors.

Simultaneously, a law firm with experience in data breach litigation has reached out to potential victims, a sign that institutions are increasingly facing the same kind of class-action lawsuits faced by corporations that have been hacked.

According to the university, the attack took place in December, when hackers broke into an institutional financial system through a security flaw that was being patched at the time. The Berkeley Financial System is used for purchasing and non-salary-related payments. The list of those whose personal information was exposed includes:

• About 57,000 students, former and current, most of whom had received financial aid awards they opted to receive by electronic funds transfer;
• About 18,800 current and former employees, including student workers, who primarily received reimbursements, such as work-related travel reimbursements; and
• About 10,300 vendors who do business with the university.

The count exceeds 80,000 because some individuals were in more than one group.

The university has begun working with the FBI on the case and retained a consulting firm to assist with the investigation. UC Berkeley has also set up a year of free credit monitoring and theft insurance, along with other resources to help those possibly affected to monitor their various financial accounts for potentially suspicious activities.

The institution reported that it had removed all impacted servers from the network and publicly stated that its investigation has uncovered no evidence indicating that exposed information has been misused. Although the breach took place in December, it has taken until now for the university to compile the names and contact information for potential victims.

The institution's chief information security officer also offered his apology. "The security and privacy of the personal information provided to the university is of great importance to us," said CISO Paul Rivers in a prepared statement. "We regret that this occurred and have taken additional measures to better safeguard that information."

However, that may not be enough to keep the campus out of court. In a signal that universities may become the target of lawsuits akin to those that hit Target and Sony after high-profile data breaches, national law firm Keller Rohrback LLP said it has begun its own investigation of the UC Berkeley breach.

"Students and staff should be able to trust that their university will ensure the security of their highly confidential and personal information — information which is commonly used to commit identity theft," said attorney Cari Laufenberg, a member of Keller Rohrback's complex litigation group, in a press release. The firm encouraged those who "are concerned that your personal information was breached and would like to know more about your rights," to contact the firm.

The same law firm is co-lead counsel in a case against Sony for its 2014 data breach. The settlement, which paid as much as $4.5 million to those affected (and $3.5 million to the lawyers handling the litigation), is currently pending in a district court in California. Keller Rohrback also represents plaintiffs in litigation against Target, which suffered a high-profile data breach in 2013.

Class action suits against universities aren't entirely new. In 2015 both the University of Miami and the University of Hawaii settled lawsuits related to previous data breaches.