Notifications are being distributed electronically this week to approximately 30,000 former and current CU affiliates regarding a data security compromise. Most of the individuals impacted are no longer affiliated with CU as a student or employee. This security incident is unrelated to the cyberattack on CU’s Accellion service earlier this year.
A vulnerability in software provided by a third-party vendor, Atlassian, impacted a program used mostly by the Office of Information Technology to share resources, such as support and procedural documents, configuration files and collaborative documents.
Some files stored in this program contained personally identifiable information for current and former students that included names, student ID numbers, addresses, dates of birth, phone numbers and genders. An analysis by the Office of Information Security revealed some data stored in the program was accessed by an attacker.
Affected individuals will be notified via email. The notifications will be sent by the CU Boulder Office of Information Technology and the CU Office of Information Security. Monitoring services will be made available at no cost for individuals whose confidentiality may have been compromised.
OIT upgraded the software to the latest version which is not susceptible to the vulnerability that allowed the intrusion. OIT was testing the new version and preparing to implement it when the intrusion occurred.
Anyone with questions about this incident should contact the incident helpline at 855-732-0814 (7 a.m. to 4:30 p.m., mountain time zone, Monday through Friday, excluding U.S. holidays).
Should you have additional questions or concerns regarding this matter, or need assistance activating the identity monitoring services offered, contact 1-855-484-1109 (7 a.m. to 4:30 p.m., mountain time zone, Monday through Friday, excluding U.S. holidays).