FOX31 Denver

Hackers try to extort University of Colorado in cyberattack

BOULDER, Colo. (KDVR) — Hackers are trying to extort the University of Colorado after a cyberattack that potentially compromised personal information from more than 310,000 files, including student data, medical information and several Social Security numbers, university officials said Friday.

“They have posted some things on the dark web and are threatening to post more,” Ken McConnellogue, the Vice President of Communications at CU Boulder said.

The attackers have posted small amounts of data on the internet and are threatening to post more if they are not paid.

“It’s mostly students files because they are the vast majority of the records,” McConnellogue said. 

“The university does not intend to do so, following guidance from the FBI,” a university news release said. “Paying would not ensure that data is not posted, now or in the future, or that there would not be additional demands.”

Leaders of the university system said they were told of an attack on a file-sharing system run by the vendor in late January and immediately shut down the service. CU was one of at least 10 universities and organizations involved in the attack, according to Friday’s announcement.

Local cyber security experts said the software company that hackers breached is called Accelion. Mitch Tanenbaum, Chief of Information at Cyber Security LLC said the software that the university was using was originally written about 20 years ago. 

“There are bugs. The bad guys figured out there are bugs,” Tanenbaum said. 

The FBI is investigating.

The university stated those impacted will receive either an email or letter soon explaining what information of theirs hackers have and what the next steps are to protect their identity. 

“We will pay for credit and identity monitoring,” McConnellogue said. 

The information that was compromised includes grades and transcript data, student ID numbers, race/ethnicity, veteran status, visa status, disability status and limited donor information.

“It’s CU’s problem. They can blame their vendor, there are multiple law suits against Accellion for this breach,”  Tanenbaum said. 

The attack also compromised “some medical treatment, diagnosis and prescription information, and in limited cases, social security numbers and university financial account information,” according to the news release.

CU is providing credit monitoring, identity monitoring, fraud consultation and identity theft restoration to those affected, most of whom were connected to the Boulder campus. The Denver campus also had some affected files, while the Colorado Springs and Anschutz Medical campuses were not affected.

“Although the attack was on a vulnerability in a third-party vendor’s software, CU is in the process of completing a lessons learned exercise to improve its practices,” the university said in its statement.

The Associated Press contributed to this article.