[BreachExchange] 310, 000 Records Compromised In University Of Colorado Data Breach, Including Social Security Numbers & University Financial Information

[Destry Winant]

https://denver.cbslocal.com/2021/04/09/university-of-colorado-data-breach-310000-records-obtained-social-security-numbers/

BOULDER, Colo. (CBS4) – The University of Colorado released new
information on Friday about the Accellion data breach that compromised
more than 310,000 university records. Officials say data accessed in
the breach includes grades and transcript data, visa and disability
status, medical and prescription information and in limited cases,
Social Security numbers and university financial account information.

In February, CU announced it was investigating a cyberattack believed
to be the largest in the university’s history. The attack targeted a
vulnerability in the File Transfer Appliance from Accellion, a
third-party vendor. Accellion says the hack impacted fewer than 100
clients, with 25 suffering significant data theft.

In March, CBS4 reported the ransomware group CL0P leaked data from 25
Accellion hacks on the dark web, including data from CU. Officials
said some staff who use the file transfer service received emails that
their personal data had been stolen and would be published if the
university didn’t pay the ransom.

“We did receive demands that we declined to meet,” said Ken
McConnellogue, CU Vice President for Communication. “We also advised
our users to not pay, which is consistent with the guidance we
received from the FBI.”

The university said it will provide credit and identity monitoring
along with fraud consultation and identity theft restoration to those
affected by the data breach.

CU Boulder was notified of the Accellion attack on Jan. 25. The
university’s Office of Information Security determined files uploaded
by 447 CU users were at risk of unauthorized access. Officials said
the bulk of the data came from CU Boulder but some other files were
accessed from CU Denver. CU’s Colorado Springs and Anschutz Medical
Campus were not affected.

Students and employees can take proactive steps to protect their
identity by visiting identitytheft.gov/databreach. Students and
employees can also place a fraud alert and security freeze on their
credit report through the three nationwide credit reporting agencies:
Equifax, TransUnion, and Experian.

Leaked data from other universities has appeared on the CL0P leak
website including Harvard Business School, University of Miami, and
University of California, Davis.

In February, Kroger Co. announced it was impacted by the Accellion
breach. The grocery chain, which operates King Soopers and City
Market, said personal data, including Social Security numbers of some
of its pharmacy and clinic customers, may have been compromised.

Accellion said on March 1 that all known File Transfer Appliance
vulnerabilities have been remediated.

“Since becoming aware of these attacks, our team has been working
around the clock to develop and release patches that resolve each
identified FTA vulnerability, and support our customers affected by
this incident,” said Jonathan Yaron, Accellion’s Chief Executive
Officer.

CU said it plans to switch to a different file sharing product.
Additionally, officials plan to move university data to a cloud-hosted
environment and add multi-factor authentication as an extra layer of
security.