Statement To CU Community About Accellion Cyberattack
I want to alert you to a malicious cyberattack that could have implications for some members of the CU community. In late January, CU vendor Accellion, Inc. notified us that attackers were able to exploit a vulnerability in its software that allowed temporary access to CU files uploaded by users of our file transfer service. We shut down the file transfer service immediately. The company provides us services for transferring large files and data sets that can include sensitive information, particularly information protected by privacy laws. CU is one of hundreds of Accellion’s customers, which include the federal government, businesses, health care companies and several universities.
I have met with CU’s information security team for a full briefing, and I want to share what we know with you.
We believe a substantial number of individual records might have been compromised, including student and employee personally identifiable information. Based on the nature of the file transfer service, other information could include limited health and clinical data (none at CU Anschutz that we are aware of at this point), and study and research data. Specific categories of individual records trigger different reporting obligations under federal and state law.
We are working diligently to determine precisely what information was compromised. At this point, we know most was from the Boulder campus and some was from the Denver campus. CU Anschutz, UCCS, system administration or the CU Foundation do not seem to be affected, but we are still investigating.
We have set up a web page here to provide what information we know to date. It will be updated as we learn more. I understand this notice raises many questions and we are committed to providing information as we get it. Piecing together exactly which files were compromised is a painstaking, sometimes manual process. CU clients of the service – most of whom are affiliated with the Boulder campus – have been notified and are assisting. We expect to have a significant part of the work done this week, but we will have to continue analysis of the data until we learn the full extent of the attack. We will provide updates to the community.
Pertinent state and federal regulatory entities and law enforcement, including the FBI, have been notified. Some 300 of Accellion’s clients were impacted by the attack.
We are committed to appropriate remedies for those affected, including identity and credit monitoring. Although this cyberattack happened using software provided by a third-party vendor, it is a reminder of the importance of cybersecurity at CU. If you have questions about keeping data safe, please contact your campus/system administration information security office.
We will keep you apprised through the website and more updates as necessary.