Cyber Incident Victim: Colorado State University

A cyber incident impacting the Colorado State University System community was disclosed on July 12, 2023. The event was characterized as a cyberattack directed against third-party organizations that maintain a business relationship with numerous corporations and institutions of higher education across the United States, including the CSU System. This attack potentially resulted in the unauthorized access of personal information belonging to some members of the CSU community. It is critically important to note that no systems operated or maintained directly by the CSU System or its individual campuses were breached or compromised in this event. The university system provided this information proactively to ensure all community members were aware of the situation and could therefore take appropriate steps to safeguard their personal information from potential misuse.

The incident was identified as a global attack targeting the MOVEit Transfer software, a tool utilized by various vendors for exchanging data files with clients worldwide. Several specific third-party vendors that have a relationship with Colorado State University were notified of their involvement in this widespread security event. These vendors formally notified CSU that they had been impacted by the exploit against the MOVEit software. The named vendors include TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife, and The Hartford. Each of these organizations plays a role in managing data related to the university's operations, particularly concerning its employees and students, both current and former.

The data breach facilitated by this attack on the vendors' systems may involve sensitive personal information. The potential data exposure affects some current employees and students of the Colorado State University System, as well as former employees and students. The scope of the impacted data is significant, with information dating back to at least the year 2021 being involved. The exact nature of the personal information was not detailed in the initial notification, but such breaches typically involve identifiers that could be used for fraudulent purposes, making the notification a crucial step in risk mitigation for the affected individuals.

The scale of this cybersecurity event extends far beyond the Colorado State University System. As of the disclosure date of July 12, 2023, more than 280 organizations globally had been impacted by the MOVEit security event. This widespread impact underscores the severity of the vulnerability exploited within the MOVEit software and highlights the interconnected nature of data security when relying on third-party service providers. Many other universities and educational institutions were similarly affected, making this a significant incident within the higher education sector and beyond.

The Colorado State University System administration, led by its Chief Information Officer, committed to continuing its work with the affected vendors to gauge the full impact of the cyberattack on its community members. The process of determining the exact number of individuals impacted and the specific types of data accessed is often complex and can unfold over an extended period following the initial discovery of the breach. The university system pledged to gather the latest information from these vendors to provide accurate and timely updates to its community.

To centralize communication and provide a resource for those affected, the CSU System established a dedicated webpage. This online resource was designed to host updated information as it became available from the ongoing investigations conducted by the third-party vendors. The primary purpose of this page is to help community members mitigate their personal risk by providing them with the latest confirmed details and guidance. The university emphasized that regardless of whether an individual was ultimately confirmed to be impacted by this specific event, the situation serves as a important reminder for everyone to take proactive steps to protect their personal data.

The incident, while originating entirely outside of the university's own infrastructure, was framed as a stark reminder of the persistent importance of cybersecurity. The notification stressed that the CSU System institutions remain deeply committed to data security, even when the threat emerges from a vendor in its supply chain. Community members with questions about general data safety practices were directed to contact their respective university or System information technology experts for advice and best practices.

The response was coordinated under the leadership of Brandon Bernier, the Chief Information Officer for the CSU System and the Vice President for Information Technology. His communication assured the community that the Division of IT and the entire university system would continue to prioritize the security of personal data. A key part of this ongoing effort is the commitment to maintain transparency and keep the community updated via the designated website on any future developments related to this incident. The university's approach focused on providing clear facts, acknowledging the concerns of its community, and directing individuals to resources without causing unnecessary alarm, since its own systems remained secure. The incident illustrates the modern challenge of managing cyber risk that is not contained within an organization's own network but is instead inherent in the ecosystem of third-party software and service providers upon which large institutions rely for critical functions.