University Of Colorado Refuses To Pay $17 Million Ransom Following Accellion Data Breach

BOULDER, Colo. (CBS4) - The University of Colorado declined to pay a $17 million ransom demand after a data breach compromised more than 310,000 university records. Officials say the breach exposed some students' grades and transcript data, visa and disability status, medical and prescription information and fewer than 20 Social Security numbers.

The attack targeted a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor. CU Boulder was notified of the data breach on Jan. 25. The university's Office of Information Security determined files uploaded by 447 CU users were at risk of unauthorized access.

In March, CBS4 reported the ransomware group CL0P began gradually leaking data from more than two dozen Accellion hacks on the dark web, including data from CU. Officials said some staff who use the file transfer service received emails that their personal data had been stolen and would be published if the university didn't pay the ransom.

"We did receive demands that we declined to meet," said Ken McConnellogue, CU Vice President for Communication. "We also advised our users to not pay, which is consistent with the guidance we received from the FBI."

McConnellogue said the demand was later lowered to $5 million and the university does not intend to pay. The FBI says payment does not guarantee files will be recovered and it could encourage criminals to carry out future attacks.

CU announced it will provide credit and identity monitoring along with fraud consultation and identity theft restoration to those affected by the data breach. The bulk of the data came from CU Boulder but some other files were accessed from CU Denver. CU's Colorado Springs and Anschutz Medical Campus were not affected.

Students and employees can take proactive steps to protect their identity by visiting identitytheft.gov/databreach. Students and employees can also place a fraud alert and security freeze on their credit report through the three nationwide credit reporting agencies: Equifax, TransUnion, and Experian.

Leaked data from other universities has appeared on the CL0P leak website including Harvard Business School, University of Miami, and University of California, Davis.

In February, Kroger Co. announced it was impacted by the Accellion breach. The grocery chain, which operates King Soopers and City Market, said personal data, including Social Security numbers of some of its pharmacy and clinic customers, may have been compromised.

Accellion said on March 1 that all known File Transfer Appliance vulnerabilities have been remediated.

"Since becoming aware of these attacks, our team has been working around the clock to develop and release patches that resolve each identified FTA vulnerability, and support our customers affected by this incident," said Jonathan Yaron, Accellion's Chief Executive Officer.

CU said it plans to switch to a different file sharing product. Additionally, officials plan to move university data to a cloud-hosted environment and add multi-factor authentication as an extra layer of security.