CU releases details of Accellion cyberattack
DENVER – The University of Colorado released detail of its forensic investigation into the late January cyberattack on its vendor Accellion, which resulted in the compromise of personal information of CU students, faculty, staff and affiliates. Accellion notified CU of the incident on Jan. 25. The attack was on a vulnerability in Accellion software that runs CU’s large file transfer platform, which allows faculty and staff to move large amounts of data across and sometimes between campuses and the CU system office. The university shut down the service in January when it learned of the attack and has since migrated to a different service. CU is among at least 10 universities and several other organizations involved. The FBI is investigating.
The forensic analysis, completed by CU’s Office of Information Security, revealed that more than 310,000 unique records with varying levels of personal identifiable information were potentially compromised. Students, faculty, staff and affiliates whose data was involved will receive letters and/or emails next week alerting them to precisely what information of theirs was involved and what actions to take. A web page has more detail, including FAQs(LINK).
Information compromised includes, but is not limited to, grades and transcript data, student ID numbers, race/ethnicity, veteran status, visa status, disability status, and limited donor information. It also includes some medical treatment, diagnosis and prescription information, and in limited cases, Social Security numbers and university financial account information.
CU will provide credit monitoring, identity monitoring, fraud consultation and identity theft restoration to those affected. The bulk of those were on the Boulder campus, with some on the Denver campus. CU’s Colorado Springs and Anschutz Medical Campus were not affected.
Like other Accellion clients, the university, its departments and some individuals have received extortion demands from the attackers. They have posted small amounts of data on the dark web and threaten to post more if not paid. The university does not intend to do so, following guidance from the FBI. Paying would not ensure that data is not posted, now or in the future, or that there would not be additional demands.
Although the attack was on a vulnerability in a third-party vendor’s software, CU is in the process of completing a lessons learned exercise to improve its practices.
Potentially impacted individuals can obtain information about identity theft and fraud by contacting the Federal Trade Commission at 600 Pennsylvania Ave. NW, Washington, D.C. 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338) and TTY: 1-866-653-4261. They may also contact the credit reporting agencies regarding fraud alerts and security freezes. Contact information for the credit reporting agencies is below:
TransUnion Fraud Alert
P.O. Box 2000
Chester, PA 19016-2000
TransUnion Credit Freeze
P.O. Box 160
Woodlyn, PA 19094
Experian Fraud Alert
P.O. Box 9554
Allen, TX 75013
Experian Credit Freeze
P.O. Box 9554
Allen, TX 75013
Equifax Fraud Alert
P.O. Box 105069
Atlanta, GA 30348-5069
Equifax Credit Freeze
P.O. Box 105788
Atlanta, GA 30348-5788
For more information contact: Ken McConnellogue, 303.815.8481 firstname.lastname@example.org