The University of Colorado Boulder is sending out electronic notifications to roughly 30,000 former and current students that their private details may have been stolen during a recent data breach.
According to a release from the university, the third-party software, provided by Atlassian, had a security loophole that impacted a program used by the Office of Information Security. The office did an internal investigation that showed some data was accessed by a hacker.
Atlassian is an Australian software firm headquartered in Sydney that manufactures products for software developers, project managers, and other software development teams.
The vulnerability “impacted a program used mostly by the Office of Information Technology (OIT) to share resources, such as support and procedural documents, configuration files and collaborative documents,” the university said in a statement.
The accessed files contained personally identifiable information (PII) for current and former CU Boulder students. Included in that information were names, student ID numbers, addresses, dates of birth, phone numbers, and genders. Fortunately, no Social Security numbers or financial details were compromised during the security incident.
“An analysis by the Office of Information Security revealed some data stored in the program was accessed by an attacker. Atlassian released a software patch for the vulnerability on August 25. (The Office of Information Technology) upgraded the software to the latest version which is not susceptible to the vulnerability that allowed the intrusion,” CU Boulder said in its announcement. “OIT was testing the new version and preparing to implement it when the intrusion occurred.”
Most of the students whose data may have been impacted in the incident are no longer associated with CU Boulder as a student or employee, Dan Jones, associate vice chancellor for integrity, safety, and compliance at the university, stated. However, the university is providing free monitoring services for those whose personal details were compromised.
This is the second known case of CU data being compromised in a cyberattack. Earlier this year in January, CU was one of many clients affected by an attack on Accellion, a large file transfer service. Files of 447 users were compromised in the data breach, containing private details for thousands of students, faculty, and staff across all CU campuses. According to CU, the two cyberattacks are not connected.
