April 9, 2021

CU releases details of Accellion cyberattack

DENVER – The University of Colorado released detail of its forensic investigation into the late January cyberattack on its vendor Accellion, which resulted in the compromise of personal information of CU students, faculty, staff and affiliates. Accellion notified CU of the incident on Jan. 25. The attack was on a vulnerability in Accellion software that runs CU’s large file transfer platform, which allows faculty and staff to move large amounts of data across and sometimes between campuses and the CU system office. The university shut down the service in January when it learned of the attack and has since migrated to a different service. CU is among at least 10 universities and several other organizations involved. The FBI is investigating.

The forensic analysis, completed by CU’s Office of Information Security, revealed that more than 310,000 unique records with varying levels of personal identifiable information were potentially compromised. Students, faculty, staff and affiliates whose data was involved will receive letters and/or emails next week alerting them to precisely what information of theirs was involved and what actions to take. A web page has more detail, including FAQs(LINK).

Information compromised includes, but is not limited to, grades and transcript data, student ID numbers, race/ethnicity, veteran status, visa status, disability status, and limited donor information. It also includes some medical treatment, diagnosis and prescription information, and in limited cases, Social Security numbers and university financial account information.

CU will provide credit monitoring, identity monitoring, fraud consultation and identity theft restoration to those affected. The bulk of those were on the Boulder campus, with some on the Denver campus. CU’s Colorado Springs and Anschutz Medical Campus were not affected.

Like other Accellion clients, the university, its departments and some individuals have received extortion demands from the attackers. They have posted small amounts of data on the dark web and threaten to post more if not paid. The university does not intend to do so, following guidance from the FBI. Paying would not ensure that data is not posted, now or in the future, or that there would not be additional demands.

Although the attack was on a vulnerability in a third-party vendor’s software, CU is in the process of completing a lessons learned exercise to improve its practices.

Potentially impacted individuals can obtain information about identity theft and fraud by contacting the Federal Trade Commission at 600 Pennsylvania Ave. NW, Washington, D.C. 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338) and TTY: 1-866-653-4261.  They may also contact the credit reporting agencies regarding fraud alerts and security freezes.  Contact information for the credit reporting agencies is below:   




TransUnion Fraud Alert

P.O. Box 2000

Chester, PA 19016-2000

TransUnion Credit Freeze

P.O. Box 160

Woodlyn, PA 19094




Experian Fraud Alert

P.O. Box 9554

Allen, TX 75013

Experian Credit Freeze

P.O. Box 9554

Allen, TX 75013




Equifax Fraud Alert

P.O. Box 105069

Atlanta, GA 30348-5069

Equifax Credit Freeze

P.O. Box 105788

Atlanta, GA 30348-5788

For more information contact: Ken McConnellogue, 303.815.8481 ken.mcconnellogue@cu.edu