Cyberattack exposes data of 30,000 people connected with CU Boulder

On campus at the University of Colorado Boulder. Sept. 8, 2021.
Kevin J. Beaty/Denverite
On campus at the University of Colorado Boulder. Sept. 8, 2021.

About 30,000 current and former employees and students at the University of Colorado Boulder have had personally identifiable information breached in a cyberattack. 

A hacker exploited a vulnerability found in a file-sharing service provided by the software company Atlassian, which is primarily used by CU’s Office of Information Technology. Files compromised included “support and procedural documents, configuration files and collaborative documents”, according to the university

Some files accessed by the hacker included “names, student ID numbers, addresses, dates of birth, phone numbers and genders.” Social security numbers and financial information were not included in the files, but with the data they did get, malicious actors could potentially commit fraud or answer security questions. 

CU said the vulnerability should be patched now.

“OIT upgraded the software to the latest version which is not susceptible to the vulnerability that allowed the intrusion. OIT was testing the new version and preparing to implement it when the intrusion occurred,” CU said in a statement. 

Affected people are being notified via email. CU is providing free monitoring services for those whose confidential information was stolen. 

This is the second known case of CU data being breached in a cyberattack this year. In January, CU was one of many clients affected by an attack on Accellion, a large file transfer service. Files of 447 users were accessed in the breach, containing personal information for thousands of students, faculty and staff across all CU campuses. According to CU, the two cyberattacks are unrelated.