Attackers exploited a vulnerability in Atlassian software that CU Boulder's Office of Information Technology uses to share information and accessed files that contained information including names, student ID numbers, addresses, dates of birth, phone numbers and genders.
The files did not contain Social Security numbers or financial information, said Dan Jones, associate vice chancellor for integrity, safety and compliance. Approximately 80% of the information accessed is connected to former employees and students. Campus officials do not know who was behind the attack, Jones said.
CU Boulder is notifying those impacted by the security breach by email this week and will provide monitoring services at no cost, according to the campus announcement.
Atlassian released a software patch for the program on Aug. 25, and the campus was alerted to the security breach on Sept. 1 through routine monitoring, Jones said.
"[The Office of Information Technology] upgraded the software to the latest version which is not susceptible to the vulnerability that allowed the intrusion," CU Boulder said in its announcement. "OIT was testing the new version and preparing to implement it when the intrusion occurred."
It took until this week to notify those impacted by the breach because of the forensic investigation into the attack, Jones said, as well as the need to work with the identity monitoring service to make sure they had current information for the people impacted.
The incident is not related to a cyber attack that occurred on Accellion software used by the Boulder campus and CU system in January, which compromised information in 310,000 files, including student data and medical information.
Moving forward, Jones said, the campus is making investments to improve threat analysis so it can more quickly detect new software vulnerabilities. Campus leaders and staff are also looking at how to automate system patches so that there's a smaller amount of time between when vendors release software patches and when they're implemented, Jones said.
©2021 Daily Camera, Distributed by Tribune Content Agency, LLC.
