The University of Colorado has reported a cyberattack on its software that likely exposed employee, student, health and research records, officials said.
University President Mark Kennedy informed the campus communities Tuesday in an email of the “malicious cyberattack” on software provided by vendor Accellion, calling it “the largest, most complex incident involving data” the system has experienced, The Daily Camera reported.
Kennedy said that the software is mainly used by the Boulder campus but that data from the Denver campus was also involved. The Anschutz and Colorado Springs campuses do not yet appear to be impacted.
University spokesperson Ken McConnellogue said the IT team said this attack is expected to “certainly exceed” a similar attack in 2005 that exposed about 50,000 records.
The university uses the software to transfer large files and datasets that can include information protected by privacy laws, including personally identifying information of current and prospective students, health records and research data.
The file sharing service was shut down on Jan. 25 and restored on Jan. 28, university officials said.
McConnellogue said the university is currently investigating who was impacted, how many files were exposed and who was responsible for the attack.
About 300 Accellion customers were impacted, officials said. The university has contacted about 450 people who had files uploaded in the system in January after it was notified by Accellion.
“As we notify them we want to provide as much information to them as possible, which is why this forensic stage that we’re in is important and will take a little time,” McConnellogue said.
Kennedy said the university expects to determine which files were compromised in part this week.
Accellion spokesperson Rob Dougherty said the company is conducting a full assessment.
“We will share more information once this assessment is complete,” Dougherty said. “For their protection, we do not comment on specific customers. We are working with all impacted FTA clients to understand and mitigate any impact of this incident.”