A January cyberattack on the University of Colorado is “the largest, most complex incident involving data” the system has ever seen, likely exposing a substantial number of employee, student, health and research records, officials said.
President Mark Kennedy informed the campus communities of the attack in an email Tuesday, describing it as a “malicious cyberattack” on software provided by vendor Accellion.
CU uses the software to transfer large files and data sets that can include information protected by privacy laws, Kennedy wrote, including personally identifiable information of current and prospective students and employees, health and clinical data, and study and research data.
The university does not yet know the full scope of the attack, said spokesperson Ken McConnellogue, and is currently investigating who was impacted and how many files were exposed. CU also does not know who was behind the attack, McConnellogue said. Approximately 300 Accellion customers were impacted.
“We think this is the largest, most complex incident involving data that we’ve had,” McConnellogue said. “Our IT folks tell us that in 2005 CU was a target of an attack that exposed about 50,000 records, and this will certainly exceed that.”
The file sharing service is mainly used by the Boulder campus, according to Kennedy’s letter, and data from the Denver campus was also involved. The Anschutz and Colorado Springs campuses, along with the system administration and CU Foundation, do not yet appear to be impacted.
CU was notified by Accellion in late January that attackers had exploited a vulnerability in the file transfer service, and CU immediately shut down the file transfer service, Kennedy wrote.
The service was shut down on Jan. 25, patched and restored on Jan. 28, according to a university website about the attack. A forensic investigation by CU and Accellion “revealed CU Boulder’s service was compromised and the files available on the system during the attack had been at risk of unauthorized access,” the website states.
The university has contacted 447 people who had files uploaded in the system in January, and the Office of Information Security is completing a manual review of all files that were exposed during the attack, according to CU.
“Piecing together exactly which files were compromised is a painstaking, sometimes manual process,” Kennedy wrote. “…We expect to have a significant part of the work done this week, but we will have to continue analysis of the data until we learn the full extent of the attack.”
The university will notify people impacted by the attack as soon as possible, McConnellogue said.
“As we notify them we want to provide as much information to them as possible, which is why this forensic stage that we’re in is important and will take a little time,” McConnellogue said.
Those impacted will be provided with free monitoring services to detect identity and credit fraud, according to CU’s website about the attack. More information will be available at cu.edu/accellion-cyberattack.
Law enforcement agencies, including the FBI, have been notified, McConnellogue said.
In an email statement, Accellion spokesperson Rob Dougherty wrote that the company is conducting a full assessment of the incident with an “industry-leading cybersecurity forensics firm.”
“We will share more information once this assessment is complete,” Dougherty wrote. “For their protection, we do not comment on specific customers. We are working with all impacted FTA clients to understand and mitigate any impact of this incident, and to migrate them to our modern kiteworks content firewall platform as soon as possible.”
A news release about the cyberattack on Accellion’s website describes the file sharing service as a 20-year-old product nearing end of life. The initial cyberattack began in mid-December and “was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,” the website stated, and was “a highly sophisticated attack.”
In an email, Courtney Bernal, a spokesperson with the FBI’s Denver field office, stated that the bureau does not confirm or deny specific investigations. CU Boulder referred requests for comment to McConnellogue.