CU Cyberattack Update: University Will Not Pay Ransom

BOULDER, CO — Hackers are trying to extort the University of Colorado after a cyberattack that compromised more than 310,000 records, officials said Friday.

After consulting with the Federal Bureau of Investigation, the university said it does not plan to comply with the ransom demand.

"There is no guarantee that the cybercriminals will honor promises to not post information," the university said in a notice to the campus communities. "Nor is there assurance that they won’t try further extortion."

Most of the information that was compromised was from the CU Boulder campus, but some was from the Denver campus, officials said.

One of the university's vendors, Accellion, Inc., notified officials in late January that attackers were able to exploit a vulnerability in its software that allowed temporary access to files uploaded in a transfer service. The university shut down the service Jan. 25 and issued a notice to those who may have been affected, officials said.

Don't miss the latest news updates in Boulder: Free Boulder Patch Newsletters and Email Alerts | Facebook | Twitter

Anyone who is contacted by the cyberattackers for ransom is asked to not engage and delete the email, university officials said.

Accellion provides service to hundreds of customers, including health care companies, the federal government, colleges and businesses.

"CU was one of at least 10 higher education institutions affected, in addition to several other Accellion corporate clients," the university's notice read. "All told, about 50 organizations were impacted.

"Although the attack was on a vulnerability in software from a third-party vendor with which CU contracts, the university’s Office of Information Security is conducting a lessons-learned exercise to improve processes and practices."