The University of Colorado has been breached through its former third-party vendor Accellion. Accellion fell victim to a supply chain attack on December 23, 2020. Cybercriminals penetrated Accelion’s extensive client network and then began systematically breaching their data.
To date, at least 2.7 million victims have been impacted through Accellion’s compromise, a testament to the pernicious efficiency of supply chain attacks.
CU began investigating the incident in February 2021. It was recently revealed that the breach was the most devastating cyberattack in the University’s history.
More than 310,000 university records were compromised including:
- Transcript information
- Medical information
- Prescription information
- Student ID numbers
- Disability status’
- Social security numbers
- University financial account information
A majority of the breached data is linked to the Boulder campus.
After the incident, both CU staff and students were contacted by ransomware group CL0P who demanded payment to prevent the private data from being published online.
CU responded with a social post warning all recipients to not comply with the cybercriminal’s demands.
After the ransom payment ultimatum had elapsed, in classic double-extorsion ransomware fashion, the seized data was published on the criminal-infested dark web.
CL0P’s role in the original Accellion breach is still uncertain. They could either be responsible for the attack or just managing the stolen data.
Colorado University is offering impacted students credit monitoring, identify monitoring, fraud consultation, and identity theft restoration free of charge.