Analysis Reveals No Security Breach; No Personal Data Exposed at CU-Boulder

Posted: 5-1-08, 1:15 p.m.

The University of Colorado at Boulder today announced that a forensic analysis of a computer suspected to have been compromised last week revealed no malicious software, and no exposure of student and staff private data.

"The analysis by our staff, working closely with the consulting firm of Applied Trust Engineering, revealed an interaction between two incompatible software programs that mimicked behavior consistent with malicious software," said Dan Jones director of IT Security at CU-Boulder.

Jones said, "The functioning of the computers led us to initiate our data breach protocol, which includes providing notice to the community of a potential threat of identity theft."

Dennis Maloney, chief technology officer for CU-Boulder, said, "While the data was not compromised, this incident still reinforces the need to continue to constantly improve IT security at CU. We also intend to share our discovery of the software incompatibilities with our colleagues," said Maloney.

Among the measures Maloney announced are:

• The university’s IT Security Office will work with Continuing Education to improve security through increased awareness & training, and will rescan systems for private data and remove any if found. The private data on the laptop has been removed;

• The university will aggressively continue the campaign to eliminate Social Security and Credit Card Numbers from all systems across the campus.

• The university will expand its program to encrypt laptop computers across campus;

• The campus will implement improved password management procedures during Fall 08;

• The campus will complete security training for all faculty & staff by June 30, 2008;

CU-Boulder Chancellor G.P. "Bud" Peterson said, "While I am relieved no personal data was exposed in this incident, it reinforces our need to continue to emphasize to our faculty and staff the measures we all must take to protect important data."