Cyber Incident Victim: University of California, Berkeley

In late December 2015, attackers exploited a security flaw in the Berkeley Financial System (BFS), a financial management platform used by the University of California, Berkeley for processing purchases and non-salary payments. The breach allowed unauthorized access to internal university services containing sensitive personal information. The compromised system stored Social Security numbers and bank account details for approximately 80,000 individuals, including 57,000 current and former students (with student workers comprising part of this group) and 10,300 vendors. University officials estimated that roughly 50% of current students and 65% of active employees had their information potentially exposed. While forensic analysis found no conclusive evidence that data was actually exfiltrated or misused, the vulnerability window existed during the period when security patches were being applied to the BFS platform.

The university publicly disclosed the incident in February 2016, notifying the FBI and other law enforcement agencies. Chief Information Security Officer Paul Rivers acknowledged the breach in an official statement, emphasizing institutional regret and confirming implementation of additional safeguards to protect personal information. Affected individuals received warnings about potential identity theft risks and were offered free credit monitoring services. This marked UC Berkeley's second significant cybersecurity incident within fourteen months, following a December 2014 breach targeting the Real Estate Division that exposed data belonging to approximately 1,600 people. The 2015 attack specifically impacted financial operations rather than academic or research systems, with vendor payment information joining student and employee data in the pool of potentially compromised records.