BOULDER, Colo. (CBS4) - The University of Colorado is investigating a cyberattack that compromised the personal information of students and employees. Information security teams are working to determine the scope of the attack, but so far it appears to be the largest data breach in the university's history.
The attack targeted a vulnerability in the File Transfer Applicance from Accellion, a third-party vendor. Officials said the hack impacted about 300 Accellion customers, including CU.
CU Boulder suspended use of the service on Jan. 25, the same day it was notified of the attack. A software patch allowed the university to restore service on Jan. 28.
Officials said the service is used primarily by employees on the Boulder campus to send large files, but some data from the Denver campus was also involved.
The university's Office of Information Security determined CU Boulder's service was compromised and files uploaded by 447 CU users were at risk of unauthorized access. These users were notified of the cyberattack on Feb. 1 and asked to report any confidential data within the files.
Investigators are conducting a manual review of all the files uploaded to the service. Officials said personal information of CU Boulder and CU Denver students, along with prospective students, and employees may have been accessed.
The files may also include limited health and clinical data, and study and research data. Data from CU Anschutz, UCCS and system administration does not appear to have been compromised, but officials said the analysis is ongoing.
Officials expect to better understand the extent of the attack by the end of the week. The university plans to update the investigation at this link.
"We are continuing our investigation of the cyberattack to determine precisely what data was compromised. We have suggested steps people can take to protect their identity and we are committed to providing timely notification and appropriate remedies to people in the CU community as soon as we know more," stated Ken McConnellogue, CU Vice President for Communication.
The university plans to provide monitoring services at no cost for anyone whose information was compromised. In the meantime, students and employees can take proactive steps to protect their identity by visiting identitytheft.gov/databreach.
The university said it plans to switch to a different file sharing product. Additionally, officials plan to move data to a cloud-hosted environment and add multi-factor authentication as an extra layer of security.
Accellion said it first learned of the vulnerability in mid-December, which impacted 50 customers. The company patched the issue but later identified additional exploits that continued into January.
The company issued the following statement online, calling the exploits a highly sophisticated attack:
"Accellion is uniformly committed to protecting its customers and their supply chain partners from cyber criminals by preventing breaches and compliance violations, rapidly responding to cyberattacks in process, and mitigating the impact of incursions with extensive forensics and customer support. In regard to this incident, Accellion is contracting with an industry-leading cybersecurity forensics firm to conduct a compromise assessment and will share their findings when available."
for more features.