DENVER – The University of Colorado said Friday that hackers have sent extortion demands after a cyberattack on an outside vendor in January exposed the information of potentially 310,000 data files, including some personal data.
The university system said the attackers have posted small amounts of the stolen data already and have threatened to post more, but Chief Information Security Office Dan Jones said the university does not plan to pay after consulting with law enforcement.
“Doing so would not guarantee information would not be posted or that there would not be additional demands,” Jones wrote in a letter to the community.
CU said it will be sending letters or emails next week to people whose data may have been compromised to tell that what information may be out there and what they can do. A website has also been set up for those affected to get resources.
The university says it will also offer those people credit monitoring, identity monitoring, fraud consultation and identity theft restoration to people affected.
Information that has potentially been compromised includes grades and transcripts, student ID numbers, race and ethnicity data, some donor information, veteran and visa status, some medical information, and some Social Security numbers.
CU first gave notice of the cyberattack on the university’s third-party vendor, Accellion, which helped facilitate the university’s file-sharing system, in February. CU says most of the compromised data comes from the Boulder campus, and a smaller amount from the Denver campus. CU does not believe data from UCCS and CU Anschutz were affected.
At least 10 other universities and other organizations were also attacked. CU since it has since moved to a different vendor.
The letter from Jones said that the hackers may send people direct emails demanding payment to stop the release of personal information.
“If so, please do not reply or engage with the senders and delete the messages,” Jones wrote. “…This attack is a strong reminder of the importance of cybersecurity. We will learn what we can from this attack, adjust our practices as necessary, and continue to keep cybersecurity at the forefront of our efforts.”