Breach Deemed Largest Cyber-Attack in CU History

Cyber-attack affects CU system 

While CU Boulder was the main victim, CU Denver and The Anschutz Medical Campus were affected as well. 
Illustration: Mazie Neill • The Sentry

The University of Colorado has begun an investigation into a breach of data that occurred against both employees and students. The university’s information security teams are currently trying to determine the scope of the cyber-attack, but it appears to be one of the largest breaches of data in CU history. The university was first notified of a potential data breach back in December, but the attack was confirmed in the middle of January.  

The university is one of roughly 300 customers of a file transfer service, Accellion, which were impacted in this recent data breach. The use of the service was suspended on Jan. 25, when university officials were first notified of the attack. According to university officials, CU Boulder was primarily impacted by the attack, but CU Denver employees and students were impacted to a lesser extent. Some research data might have been compromised from the Boulder campus. 

President of the CU system, Mark Kennedy, said in an email regarding the attack: “We believe a substantial number of individual records might have been compromised, including student and employee personally identifiable information.  Based on the nature of the file transfer service, other information could include limited health and clinical data (none at CU Anschutz that we are aware of at this point), and study and research data.” Kennedy hasn’t released any more information than what has already been reported on. 

The university’s Vice President of Communication, Ken McConnellogue said in an interview that the university did not believe that attack affected the Anshutz campus or the Colorado Springs campus. “We are still figuring out the exact numbers of how many were affected, but it was the largest cyber-attack on our system. Previously, 47,000 record breaches were considered to be the largest,” said McConnellogue. McConnellogue confirmed that the university was already phasing out the use of Accellion prior to the data breach, and that the recent cyber-attack has caused officials to accelerate the process. McConnellogue did not indicate a specific service they were moving towards or an alternative file sharing service. 

According to CU officials, specific data was not targeted; however, the type of information that was compromised was health records and personal identifiable information like names, addresses, and grade status. CU has confirmed that investigators are underway to confirm which files were compromised and reaching out to those impacted. Students and employees whose information was compromised will receive an email telling them what data was breached and what they can do about it. 

The university has stated that it plans to provide monitoring services to those it serves at no cost to the students or employees. However, in the meantime, the university has emailed out resources students and employees can use to proactively protect their data.

This is a selection from the March 3 issue. To view the full issue, visit:

Leave a Reply

Your email address will not be published. Required fields are marked *