The University of Colorado received extortion demands related to a cyberattack that “potentially compromised” personal information from more than 310,000 files, including student data, medical information and several Social Security numbers.
The attackers have posted small amounts of data on the dark web and threatened to post more if not paid, CU leaders announced in a news release Friday morning.
“The university does not intend to do so, following guidance from the FBI,” CU said in a statement. “Paying would not ensure that data is not posted, now or in the future, or that there would not be additional demands.”
The university system, as well as individual departments and people, have received specific extortion demands from the attackers in recent weeks, said spokesperson Ken McConnellogue.
An email from the attackers sent to a CU Boulder student Friday morning stated that “the administration refuses to cooperate, in connection with which we notify you that your personal data … will be and already (is) partially published on the darknet.”
System leaders were informed about an attack on its file sharing system, run by vendor Accellion, on Jan. 25 and immediately shut down the service. CU was one of at least 10 higher education institutions involved in the attack, according to the university. About 50 organizations were affected by the attack, which the FBI is investigating.
When CU first announced the attack in February, McConnellogue described it as “the largest, most complex incident involving data” the system had ever seen. CU’s forensic investigation confirmed that, McConnellogue said Friday. The last cyberattack on CU was in 2005, which compromised about 50,000 records.
Files stolen in January include grades and transcript data, student ID numbers, race/ethnicity data, veteran status, visa status, disability status and limited donor information.
Other files stolen include “some medical treatment, diagnosis and prescription information, and in limited cases, Social Security numbers and university financial account information,” the release said.
Fewer than 20 Social Security numbers were identified in the more than 310,000 files accessed, McConnellogue said.
Most of the more than 310,000 files accessed were from the Boulder campus, and some from the Denver campus. The Colorado Springs and Anschutz Medical campuses were not impacted.
Anyone whose data was involved in the attack will be notified next week, according to CU, and will be told what actions to take. The university system is providing credit monitoring, identity monitoring, fraud consultation and identity theft restoration to those affected for one year.
CU was in the process of changing how it shared large files before the attack happened and accelerated that process after the attack, McConnellogue said. CU is no longer using the Accellion software that the attackers were able to exploit.
“Part of what our information security folks will do is a lesson learned exercise — what can we do differently and how can we adjust our practices immediately,” McConnellogue said.
The file transfer software used by CU was one of Accellion’s “legacy” products, according to the company’s website, and was developed 20 years ago. Accellion has been working for three years to transfer its clients to a newer and more secure platform, Kiteworks, which was not impacted by the attack, according to a company statement.
In February, Accellion announced an “end of life” date for the legacy file transfer software and that the company would no longer renew those software licenses after April 30.