Quick Take

UC Santa Cruz officials apologized this week for an email sent by the Information Security division Sunday that they say was meant to serve as training to help employees recognize scam emails, or phishing emails. The email appeared to be an alert from campus about an Ebola case at UCSC, but was not real.

UC Santa Cruz campus community members received an email Sunday warning them that a case of the Ebola virus had been detected on campus. No, the highly contagious, deadly disease hadn’t returned to the U.S. nearly 10 years after worries about a worldwide outbreak. The email came from the university’s Information Security division and spread false information with the intent of training people to not fall for scam “phishing” emails. 

The email’s subject line read, “Emergency Notification: Ebola Virus Case on Campus,” and was sent to campus employees. The message said an employee had contracted the virus after visiting South Africa. 

In response, on Monday, UCSC Chief Information Security Officer Brian Hall emailed the campus community to apologize and emphasize that there was not an Ebola case on campus. 

“The email content was not real and inappropriate as it caused unnecessary panic, potentially undermining trust in public health messaging,” he wrote. “We sincerely apologize for this oversight.”

Hall also addressed how the use of Ebola in the email “inadvertently perpetuated harmful information about South Africa.” 

Ebola is a disease caused by a group of viruses, which when left untreated can be fatal. The group of viruses, called orthoebolaviruses, were first recorded in 1976 in the Democratic Republic of Congo, per the U.S. Centers for Disease Control and Prevention. Initially, symptoms can include fever and fatigue and over time can evolve to vomiting and bleeding. 

Since the discovery in 1976, outbreaks have occurred in several African countries, including Uganda, South Sudan, Congo and Gabon, while imported cases have been reported in countries including South Africa and Mali. The largest outbreak occurred in countries across West Africa between 2014 and 2016.

Hall declined an interview and referred all questions to UCSC spokesperson Scott Hernandez-Jason. Hernandez-Jason said the university is “focused on protecting” its campus community from online threats. He said the phishing training email was sent to student employees, faculty and staff. 

“In addition to regular cybersecurity training for our employees, our campus periodically conducts simulated phishing campaigns to remind faculty and staff about how to recognize and handle suspicious emails,” he wrote Tuesday via email. “As we shared with our campus community, we are working to prevent this from happening again.” 

UCSC assistant sociology professor Alicia Riley said she was shocked to receive the email Sunday morning. She is also a core faculty member in the Global and Community Health Program and is a public health researcher. 

“At first I was like, ‘This is crazy.’ I was believing in it. There were all these details about it, [the email mentioned] routine university testing,” she said Tuesday. “And then I thought it through more, and realized this isn’t real.”

She contacted staff and faculty members to confirm whether or not they received it – which they had. Riley also immediately messaged a friend of hers, a former epidemic intelligence service officer who had spent time in Liberia during the Ebola outbreak. 

UCSC and Cabrillo college student free Lookout membership signup

She then emailed the university’s Information Technology Services team to tell them about the phishing email and she got a response saying she had correctly identified the phishing training email. 

“I got a response a few hours later that was like, ‘Good news, you have identified a simulated phishing email,'” she recalled. “Good news? What kind of sick joke is this? No, you don’t get to send emails out to the entire faculty and staff of the university claiming that there’s a confirmed case of Ebola on campus.” 

That prompted Riley to send an email to the information services department’s security team detailing why she felt it was an inappropriate phishing email.

“As a population health scientist who studies infectious disease mortality and teaches about Ebola, I find it irresponsible and in poor taste to use this topic for a simulated phishing attack email that went out to the university community on a Sunday morning, no less,” she wrote. 

Riley described how Ebola has a very high case fatality rate and she was upset the phishing email didn’t mention the well-being of the staff member. 

“And I said to suggest the case originated in South Africa contributes to an existing climate of misinformation and racism that surrounds infectious disease outbreaks in general, and Ebola,” she said. “And I asked if there was a response to try to mitigate the harm done.” 

Riley said their response was swift and she felt that staff in Information Technology Services took immediate action and responsibility for causing panic.

Information Technology Services is one of the university departments to have undergone layoffs in the past week. Hernandez-Jason said the layoffs had nothing to do with the phishing email. 

“There is no connection between the ITS staffing reductions and the simulated phishing email,” he wrote. 

This story has been updated with additional information from university officials. 

Have something to say? Lookout welcomes letters to the editor, within our policies, from readers. Guidelines here.

After three years of reporting on public safety in Iowa, Hillary joins Lookout Santa Cruz with a curious eye toward the county’s education beat. At the Iowa City Press-Citizen, she focused on how local...