Cyber Incident Victim: University of Colorado

In mid-December 2020, Accellion discovered a critical zero-day vulnerability (P0) in its legacy File Transfer Appliance (FTA) software, a 20-year-old product designed for large file transfers. The company released a security patch within 72 hours to fewer than 50 affected customers. Accellion initially claimed in a January 12, 2021 press release that it had promptly notified impacted clients about the December attack, specifically stating customers were alerted on December 23, 2020. However, this assertion was contradicted by multiple entities, including the University of Colorado, which reported receiving its first notification from Accellion on January 25, 2021. The State of Washington and Royal Bank of New Zealand similarly disputed Accellion's timeline, with the bank alleging a five-day delay in critical communications.

The University of Colorado launched an investigation upon notification, determining that attackers had compromised its Boulder campus FTA service used primarily by employees for transferring large files. The breach potentially exposed data from 447 users across CU Boulder and the Denver campus who had uploaded files during the vulnerability window. On February 1, 2021—the same day Accellion issued an update describing the incident as a "concerted cyberattack" with multiple exploits patched in January—the university notified all affected users. These individuals were instructed to review their transferred files for personal, confidential, or sensitive information that might have been accessed without authorization. The Office of Information Security worked to mitigate risks while monitoring for anomalies, though no specific data types or confirmed misuse were disclosed in available reports.