CU students, employees and affiliates whose personal information may have been compromised in the cyberattack on university vendor Accellion will begin receiving notification this week alerting them to what data was involved and what steps to take. The notifications will be a combination of email and U.S. Mail.
The university’s Office of Information Security has largely completed its forensic investigation of the attack, according to a memo sent systemwide on Monday from Chief Information Security Officer Dan Jones. He wrote that “CU will provide credit monitoring, identity monitoring, fraud consultation and identity theft restoration to those affected. Our analysis shows that the attack involved more than 310,000 individual records with varying levels of personal identifiable information.” The letter notes that if students or employees do not receive a communication, their data was not affected. The bulk of the data was from the Boulder campus with some from the Denver campus.
A web page provides more detail and an FAQ section. Information involved includes grades and transcript data, student ID numbers, race/ethnicity, veteran status, visa status, disability status and limited donor information. It also includes some medical treatment, diagnosis and prescription information and, in some limited cases, Social Security numbers and CU financial account information, according to Jones. CU’s internal systems – such as finance, human capital management, Advancement and student information systems – were not affected.
The cyberattack was on Accellion, a third-party vendor whose software facilitates the transfer of large (and sometimes sensitive) files on campuses and among campuses and system. CU first learned of the attack in late January and information security teams have spent the time since to unravel the nature of the files involved. A portion of the work had to be done manually. CU was among at least 10 universities involved. More than 50 of Accellion’s clients were affected.
Soon after the attack was discovered, individuals and departments at CU and elsewhere began receiving extortion emails from the attackers, who demanded payment. They said if they were not paid, they would post the stolen information on the dark web, a network of sites not indexed by search engines and accessible only with special software.
Jones noted that “CU consulted with law enforcement and does not intend to pay. Doing so would not guarantee information would not be posted or that there would not be additional demands.” Some information already has been posted on the dark web, and security officials say they expect more will be. They advise individuals who receive the extortion emails to delete them.