University of Colorado officials last Friday said that the extent of the breach of Accellion’s file-transfer application on its community was far greater than initially reported, with more than 300,000 records, including some Social Security numbers, exposed in the incident.
In a lengthy update on its website, the university acknowledged that “a small amount” of Social Security numbers were among the personally identifiable information contained in the breach, which has affected dozens of large organizations that used Accellion’s software globally, including at least 10 higher education institutions.
The other records include student identification numbers, grades and transcripts, race and ethnicity status and medical histories, the university said. Most of the records are affiliated with Colorado’s flagship campus in Boulder, though some came from the University of Colorado Denver. The university’s other campuses, including Colorado Springs and a medical college in Aurora, did not appear to be affected, officials said.
But the records are being held for ransom, the university said, with malicious actors threatening to publish them in full if a monetary demand is not satisfied. “On advice of the FBI (which is investigating the cyberattack) CU will not pay ransom,” the university’s statement reads.
A foreign hacking group, referred to as UNC2546 by the cybersecurity company FireEye, compromised a zero-day vulnerability in Accellion’s file-transfer platform last December, exposing files belonging to its clients. Initially, CU, which was notified of the breach in January, said 447 users on its Boulder campus were affected. Last month, though, a sample of stolen files appeared on a leak website associated with a type of ransomware known as Clop, which is used by another hacking group with ties to UNC2546.
Other schools that used Accellion and have seen their data threatened include Stanford University; the University of Miami; the University of Maryland, Baltimore; Harvard Business School; and Yeshiva University in New York. Several campuses in the University of California system have also been targeted.
“We are working with federal law enforcement and external cybersecurity experts to investigate this incident, assess the information that may have been compromised and take additional measures to protect data,” a University of California spokesman told StateScoop. “In the meantime, we have notified the UC community and offered one year of complimentary credit monitoring and identity theft protection.”
But with hundreds of thousands of exposed records, though, the University of Colorado is also stepping up the response for its students and faculty, institution leaders said. Beginning Monday, the school will notify affected users by email or physical mail if their information was exposed. It is also setting up a call center and offering free credit monitoring.
“While individuals should always be vigilant about the potential for identity theft, most of the information compromised in this attack would not easily lead to identity theft,” the statement reads.
The university said in March that while it has patched its Accellion application, it plans to find a new vendor for file transfers.