BOULDER, Colo. (CBS4) – The University of Colorado released new information on Friday about the Accellion data breach that compromised more than 310,000 university records. Officials say data accessed in the breach includes grades and transcript data, visa and disability status, medical and prescription information and in limited cases, Social Security numbers and university financial account information.
In February, CU announced it was investigating a cyberattack believed to be the largest in the university’s history. The attack targeted a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor. Accellion says the hack impacted fewer than 100 clients, with 25 suffering significant data theft.
In March, CBS4 reported the ransomware group CL0P leaked data from 25 Accellion hacks on the dark web, including data from CU. Officials said some staff who use the file transfer service received emails that their personal data had been stolen and would be published if the university didn’t pay the ransom.
“We did receive demands that we declined to meet,” said Ken McConnellogue, CU Vice President for Communication. “We also advised our users to not pay, which is consistent with the guidance we received from the FBI.”
The university said it will provide credit and identity monitoring along with fraud consultation and identity theft restoration to those affected by the data breach.
Many campus constituents are receiving extortion emails connected to the Accellion cyberattack. If you receive one of these emails, please do not reply or engage with the senders and delete the email.https://t.co/jZHsqQrbmn pic.twitter.com/DzXYjBzZPl
— CU Boulder OIT (@CUBoulderOIT) April 9, 2021
CU Boulder was notified of the Accellion attack on Jan. 25. The university’s Office of Information Security determined files uploaded by 447 CU users were at risk of unauthorized access. Officials said the bulk of the data came from CU Boulder but some other files were accessed from CU Denver. CU’s Colorado Springs and Anschutz Medical Campus were not affected.
Students and employees can take proactive steps to protect their identity by visiting identitytheft.gov/databreach. Students and employees can also place a fraud alert and security freeze on their credit report through the three nationwide credit reporting agencies: Equifax, TransUnion, and Experian.
Leaked data from other universities has appeared on the CL0P leak website including Harvard Business School, University of Miami, and University of California, Davis.
In February, Kroger Co. announced it was impacted by the Accellion breach. The grocery chain, which operates King Soopers and City Market, said personal data, including Social Security numbers of some of its pharmacy and clinic customers, may have been compromised.
Accellion said on March 1 that all known File Transfer Appliance vulnerabilities have been remediated.
“Since becoming aware of these attacks, our team has been working around the clock to develop and release patches that resolve each identified FTA vulnerability, and support our customers affected by this incident,” said Jonathan Yaron, Accellion’s Chief Executive Officer.
CU said it plans to switch to a different file sharing product. Additionally, officials plan to move university data to a cloud-hosted environment and add multi-factor authentication as an extra layer of security.