Information security specialists continue to comb through data files to determine the extent and severity of the cyberattack on the university’s large file transfer service that was communicated to the CU community this week.
CU President Mark Kennedy alerted the university community to the cyberattack on Tuesday. He related that attackers were able to exploit a vulnerability in software managed by Accellion Inc., the third-party vendor whose software powers the file transfer service. The attack allowed access to files of some of the nearly 450 CU users of the system, most all of which are on the Boulder campus.
“We believe a substantial number of individual records might have been compromised, including student and employee personally identifiable information,” Kennedy wrote.
The attack is likely the largest cyberattack at CU. In 2005, an attack compromised some 49,000 records. CU information security officials expect the current attack will involve more records.
While the vast majority of data was from the Boulder campus, a portion was from CU Denver. At this point, it does not appear that data from CU Anschutz, UCCS, system administration or the CU Foundation was involved, but information security teams still are investigating. Kennedy’s email noted that “Based on the nature of the file transfer service, other information could include limited health and clinical data (none at CU Anschutz that we are aware of at this point), and study and research data.”
CU’s Chief Information Security Officer Dan Jones said information security teams are working to ascertain precisely which data had been compromised and the risk to individuals. State and federal regulating bodies have been notified, in addition to the FBI.
“We are focusing all our time and energy on this effort, but part of the challenge is it involves an amount of manual processing that takes time,” Jones said.
Still, he expects teams will have a significant portion of the analysis done by next week. Some of the work will take weeks to assess, even though additional staff have been dedicated to the project.
“Our goal is to have as complete a picture as we can as soon as we can,” Jones said. “We aim to provide as timely notification as possible to those students and employees who were affected.”
That process has started and the bulk of the notifications will be completed within 30 days, Jones said. Those who had personally identifiable information compromised may receive identity monitoring or credit monitoring.
CU had already started the process of moving to a new large-file transfer platform, a shift that has been accelerated, Jones said.