Hackers Try to Extort University of Colorado

The cyberattack potentially compromised personal information from more than 310,000 files.

University of Colorado campus, Boulder, Colo.
University of Colorado campus, Boulder, Colo.
iStock

BOULDER, Colo. (AP) — Hackers are trying to extort the University of Colorado after a cyberattack that potentially compromised personal information from more than 310,000 files, including student data, medical information and several Social Security numbers, university officials said Friday.

The attackers have posted small amounts of data on the internet and are threatening to post more if they are not paid, The Boulder Daily Camera reported.

“The university does not intend to do so, following guidance from the FBI,” a university news release said. “Paying would not ensure that data is not posted, now or in the future, or that there would not be additional demands.”

Leaders of the university system said they were told of an attack on a file-sharing system run by the vendor in late January and immediately shut down the service. CU was one of at least 10 universities and organizations involved in the attack, according to Friday's announcement.

The FBI is investigating.

The information that was compromised includes grades and transcript data, student ID numbers, race/ethnicity, veteran status, visa status, disability status and limited donor information.

The attack also compromised “some medical treatment, diagnosis and prescription information, and in limited cases, Social Security numbers and university financial account information,” according to the news release.

CU is providing credit monitoring, identity monitoring, fraud consultation and identity theft restoration to those affected, most of whom were connected to the Boulder campus. The Denver campus also had some affected files, while the Colorado Springs and Anschutz Medical campuses were not affected.

“Although the attack was on a vulnerability in a third-party vendor’s software, CU is in the process of completing a lessons learned exercise to improve its practices,” the university said in its statement.

More in IoT