YU Students’ and Employees’ Personal Information Hacked and Released Publicly

By: Erica Rachel Sultan  |  April 19, 2021

By Erica Rachel Sultan, News Editor

On Thursday, April 1, all Yeshiva University students received an email alert from the Information Technology Services (ITS) which stated that the department is investigating a hacking incident involving their former third-party vendor, Accellion, Inc. Accellion Inc. is used by institutions to transfer important files safely online. According to the company’s site, their goals are to “1. Coordinate and control risky third-party communications, 2. Monitor sensitive files shared with customers, suppliers, and partners, and 3. Protect data with uniform security and compliance.” YU, upon learning of the breach, discontinued its use of Accellion Inc. and has launched an investigation. While the investigation continues, it has been concluded that an unauthorized party exploited the company and has stolen important university files containing personal information of many within the YU community. 

Many students received spam emails from the hackers, demanding they pay ransom because their personal financial information has been stolen. One specifically stated, “Good morning, your network has been hacked… We have a website where we publish news and stolen files from companies that have refused to cooperate… If you ignore this message, we will start publishing your data on our website- first screenshots, then files, as well as mailing to our list of journalists and your clients and employees. P.S. Our task is not to harm, but to make money.” 

YU employees have turned out to be one of the most vulnerable as it has been found out by a YU student’s personal investigation. The hackers have a file of every YU student, faculty and staff employee’s payroll information. Along with their emails, they have stolen and published online personal information such as passport numbers, addresses, social security numbers, and bank account numbers of over 50 employees. The YU technical director, information security manager and information security analyst were among those whose personal data has been published online. Further, one published online file contained confidential admissions information about acceptances and rejections, the YU Observer learned.

One student employee whose information has been published on the hackers’ site, and who wishes to remain anonymous, frustratedly stated, “This is not the first time I’ve had a problem with YU. I’m sick of it and I’m very disappointed. And I hope that this doesn’t happen to anyone else.” 

The YU Observer also reached out to another victim, who wishes to remain anonymous, and told us that the head of communications of YU reached out to them right before Passover, offering them a free year trial of Experian, a credit monitoring company. The trial will protect their identity and watch out for any suspicious acts happening. When asked if they have received any more messages from the hackers or from random people, as their information is posted on the hackers website, they responded that they have not received any more messages.

YU has since sent letters to those whose information has been hacked but not published online. In the letter, YU offers students a free year trial of Experian. 

The hackers’ website, which will not be linked for privacy reasons of the victims, has received 15,000 views at the time of publication. Also published on the site is information from other higher institutions that were hacked such as University of Miami and University of California. It’s important to note that there has been a series of security breaches beginning in December 2020. Accellion Inc. quietly did repairs on their systems in December and January, but have been hacked since the repairs in March and April. Accellion Inc. has repeatedly stated within the past year that its File Transfer Appliance (FTA) system has been reaching the end of its life. In a statement from March 1, Accellion Inc. CEO Jonathan Yaron stated, “Since becoming aware of these attacks, our team has been working around the clock to develop and release patches that resolve each identified FTA vulnerability, and support our customers affected by this incident.” 

The Federal Trade Commission’s website, identitytheft.gov, states the following in the case where one’s Social Security Number (SSN) or Employer Identification Number (EIN) was exposed: “If a company responsible for exposing your information offers you free credit monitoring, take advantage of it. Get your free credit reports from annualcreditreport.com, and check for any accounts or charges you don’t recognize. You can order a free report from each of the three credit bureaus once a year.” 

One should also “Consider placing a free credit freeze. A credit freeze makes it harder for someone to open a new account in your name. If you place a freeze, you’ll have to lift the freeze before you apply for a new credit card or cell phone – or any service that requires a credit check. If you decide not to place a credit freeze, at least consider placing a fraud alert.

“Try to file your taxes early – before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

“Don’t believe anyone who calls and says you’ll be arrested unless you pay for taxes or debt – even if they have part or all of your Social Security number, or they say they’re from the IRS.

Continue to check your credit reports at annualcreditreport.com. You can order a free report from each of the three credit reporting agencies once a year.”

Furthermore, if one’s debit or credit card information was exposed, one should “Contact your bank or credit card company to cancel your card and request a new one. Review your transactions regularly. Make sure no one misused your card. If you find fraudulent charges, call the fraud department and get them removed. If you have automatic payments set up, update them with your new card number. Check your credit report at annualcreditreport.com.”

Lastly, in the case that one’s bank account was exposed, one should “Contact your bank to close the account and open a new one. Review your transactions regularly to make sure no one misused your account. If you find fraudulent charges or withdrawals, call the fraud department and get them removed. If you have automatic payments set up, update them with your new bank account information. Check your credit report at annualcreditreport.com.”