Watch CBS News

CU Community Advised To 'Not Respond' To Hackers In Massive Data Breach

BOULDER, Colo. (CBS4) - The University of Colorado is learning more about a massive data breach that compromised personal records. It may be the largest in university history. On April 9, the university announced more than 310,000 university records were compromised in the data breach.

University of Colorado Boulder
(file photo credit: iStock/Getty Images Plus)

Those records include grades, transcripts, visa and disability status, medical and prescription information, and in limited cases, and social security numbers. The attack targeted what should be a secure file transfer system, known as file transfer application, or "FTA", from a third-party vendor called Accellion.

CU was notified on Jan. 25 and, on that day, suspended use of Accellion's service. At that point, CU determined 447 CU users were at risk of unauthorized access. The university was able to restore service on the Jan. 28 using a software patch, essentially a quick repair job.

On Feb. 9, CU announced it was investigating what they believed to be the largest cyber security attack in university history. On March 1, Accellion said that all known transfer vulnerabilities were corrected.

CU DATA BREACH 10 PKG.transfer_frame_1797
(credit: CBS)

As recently as March 23, CU said it was still investigating the scope of the attack. Now, both the university and individuals are being asked to pay a ransom to keep all of the information private. The university they're not paying the ransom, and neither should anyone else.

Holly McCollough and Anna Bajaj are freshmen at CU Boulder. They're on high alert after the university sent out an email to students and staff about a possible data breach.

"It just said that there was a big security breach and that if you were affected, you'd be getting a second email in the next couple of days," Bajaj said.

CU Vice President of Communications, Ken McConnellogue, says at least 310,000 records with personal data have been compromised.

"In late January we use a third-party vendor to transfer large, and sometimes confidential, files on our campuses, and that vendor let us know that they were victim of cyberattack," McConnellogue said. "What we've also learned is they are now trying to extort both the university and individuals to have them pay so that they don't post that information on the dark web."

There are steps students and staff can take to stay safe.

Students and employees can take proactive steps to protect their identity by visiting identitytheft.gov/databreach. Students and employees can also place a fraud alert and security freeze on their credit report through the three nationwide credit reporting agencies: Equifax, TransUnion, and Experian.

"What we're doing is notifying all of those who were involved in this and providing them with credit monitoring, identify monitoring, and some tools they can use to protect themselves," McConnellogue said. "We're asking people to simply not respond."

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.