BOULDER, Colo. -- A University of Colorado computer containing the names, Social Security numbers, addresses and grades of approximately 9,000 students and 500 instructors has been compromised, CU-Boulder announced Friday.

The computer containing private data was one of three computers in the Division of Continuing Education and Professional Studies that was breached, university officials said.

The breach was discovered Thursday by CU's IT security team. The investigators discovered a malicious file on the computers and began analyzing log files to determine whether the software allowed the perpetrator to gain access to private data stored on the computer.

"Although at this time there is no reason to believe that the data on the computer has been accessed, the university will be contacting the affected students and instructors to provide guidance about how to protect their identities," CU spokesman Bronson Hilliard said in a news release.

CU has hired a computer forensic firm to conduct an analysis of the data compromise.

The security breach affects some students who were enrolled in Division of Continuing Education and Professional Studies courses between 1997 and 2003, as well as some instructors employed by the division. The university will mail letters to affected parties by the end of next week.

In the last year and a half, CU has reported at least three other incidents that left students vulnerable to possible identity theft.

"The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," Chancellor G.P. "Bud" Peterson said. "We will continue and strengthen our security efforts and hold our departments accountable for their success."

"My colleagues and I in Continuing Education regret and apologize for this unfortunate event. We are doing everything in our power to work with IT officials to assure the security of our computers and to remove the private data from them," said Anne Heinz, dean of the Continuing Education.

Over the past few years, the CU-Boulder campus said it has stepped up efforts to increase security awareness and address IT security. These efforts have included:

Launching a campus risk assessment process in 2005 to identify campus IT security risks and to locate and eliminate unnecessary databases of Social Security and credit card numbers;

Switching from Social Security numbers to a student identification number system in 2005;

Using a restrictive network firewall installed in August 2006 that has greatly reduced the campus's exposure to vulnerabilities;

Conducting computer security training for all employees.

Students and faculty who believe they may have been affected by the compromise can find more information about protecting themselves CU's Web site.

Additional Resources

CU's Web site.
The university will mail letters to the affected individuals by May 7, 2008. If you have not received a notification letter within two weeks and are concerned that you may be affected, you can call 303-492-8252 (Monday to Friday 8 a.m. to 5 p.m.).
CU's press release