Pages

Friday, April 16, 2021

Radio Silence on Accellion Breach - Part 6

 

Although we don't know what the Regents were told about the Accellion data breach at their closed meeting (see our earlier post in this sequence), we do know that another university - the U of Colorado - received a ransom demand. It refused to pay:

University Of Colorado Refuses To Pay $17 Million Ransom Following Accellion Data Breach

By Audra Streetman,  April 14, 2021, CBS4 

BOULDER, Colo. (CBS4) – The University of Colorado declined to pay a $17 million ransom demand after a data breach compromised more than 310,000 university records. Officials say the breach exposed some students’ grades and transcript data, visa and disability status, medical and prescription information and fewer than 20 Social Security numbers.

The attack targeted a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor. CU Boulder was notified of the data breach on Jan. 25. The university’s Office of Information Security determined files uploaded by 447 CU users were at risk of unauthorized access.

In March, CBS4 reported the ransomware group CL0P began gradually leaking data from more than two dozen Accellion hacks on the dark web, including data from CU. Officials said some staff who use the file transfer service received emails that their personal data had been stolen and would be published if the university didn’t pay the ransom.

“We did receive demands that we declined to meet,” said Ken McConnellogue, CU Vice President for Communication. “We also advised our users to not pay, which is consistent with the guidance we received from the FBI.”

McConnellogue said the demand was later lowered to $5 million and the university does not intend to pay. The FBI says payment does not guarantee files will be recovered and it could encourage criminals to carry out future attacks.

CU announced it will provide credit and identity monitoring along with fraud consultation and identity theft restoration to those affected by the data breach. The bulk of the data came from CU Boulder but some other files were accessed from CU Denver. CU’s Colorado Springs and Anschutz Medical Campus were not affected.

Students and employees can take proactive steps to protect their identity by visiting identitytheft.gov/databreach. Students and employees can also place a fraud alert and security freeze on their credit report through the three nationwide credit reporting agencies: Equifax, TransUnion, and Experian.

Leaked data from other universities has appeared on the CL0P leak website including Harvard Business School, University of Miami, and University of California, Davis.

In February, Kroger Co. announced it was impacted by the Accellion breach. The grocery chain, which operates King Soopers and City Market, said personal data, including Social Security numbers of some of its pharmacy and clinic customers, may have been compromised...

Full story at: https://denver.cbslocal.com/2021/04/14/colorado-cu-boulder-17-million-ransom-demand-accellion-data-breach/ 

There is still radio silence from UC after the original announcements on what may have happened. This may not be a situation, however, where no news is good news:


No comments: