Cyber Incident Victim: University of Colorado

A global cyberattack targeting the MOVEit Transfer software, owned by Progress Software, impacted several third-party vendors used by the University of Colorado. The incident was disclosed by the software vendor, and a group of cybercriminals known as CLOP exploited a critical vulnerability in the software. This vulnerability allowed for unauthorized access to data within files transferred using the MOVEit platform. The University of Colorado's own networks and systems were not directly impacted by this cybersecurity event; the compromise occurred exclusively within the systems of its vendors who utilized the vulnerable software.

The university was notified by its vendors that they had been impacted by this global attack. The affected vendors included the National Student Clearinghouse (NSC), Teachers Insurance and Annuity Association of America (TIAA) through its vendor Pension Benefit Information (PBI), and United Health Care Student Resources (UHCSR). Each of these organizations used the MOVEit Transfer software for handling sensitive data related to the CU community. The National Student Clearinghouse provides educational reporting, research services, and enrollment and degree verification to higher education institutions. NSC confirmed its use of MOVEit and that CU student data was impacted. TIAA, which serves as the university's retirement plan recordkeeper, utilized PBI to assist in death claim and beneficiary auditing processes. While TIAA's own systems were not compromised, PBI's use of MOVEit led to the exposure of some CU participant data. United Health Care Student Resources had provided student health insurance for students at the CU Anschutz Medical Campus and continued to provide it for international students at CU Denver. UHCSR confirmed it used the MOVEit software and that data from CU students who had enrolled in its health insurance plan was impacted.

The nature of the data exposure meant individuals were unlikely to know immediately whether their personal information was involved. The types of individuals whose data was potentially exposed included prospective students, current students, current employees, and former employees. The specific data elements compromised were not detailed in the university's announcement. The responsible cybercriminal group, CLOP, gained access to the data by exploiting the vulnerability in the vendors' MOVEit Transfer instances.

The university's response was primarily communicative and advisory. Upon being notified by the vendors, the university published an official announcement to the CU community on its website to inform them of the situation. This announcement detailed which vendors were involved and the nature of their relationship with the university. The communication emphasized that the breach was contained to third parties and did not represent a failure of CU's internal security systems. The university directed individuals to resources for more information from each specific vendor, providing direct links to NSC, PBI, and UHCSR dedicated pages for the incident.

The university outlined the process for individual notification. It was stated that if an individual's personal data was included in the exposure, they would receive a direct notification letter from the impacted vendor in the near future. Each vendor was responsible for conducting its own notification process. For the incident involving PBI, impacted individuals would receive a letter from PBI itself, which would also include an explanation of how to access complimentary credit monitoring services being offered. Similarly, for the UHCSR incident, impacted individuals would receive a notification letter from UHCSR, which was offering two years of complimentary credit monitoring and identity protection services. For the NSC incident, impacted individuals were to receive a written notification and free credit monitoring services as required by law. The university noted it was working with NSC and would update its website once the notification process was confirmed.

In its communication, the university provided general guidance on identity protection measures available to all individuals, regardless of confirmed impact. This information was presented as proactive steps people could take. The advice included visiting the Federal Trade Commission's website at identitytheft.gov/databreach for information on protecting one's identity. The university encouraged everyone to remain vigilant by reviewing their credit reports and account statements for suspicious activity. It noted the entitlement under U.S. law to one free annual credit report from each of the three major credit bureaus: TransUnion, Experian, and Equifax. The announcement also detailed the rights to place a fraud alert or a credit freeze on a credit report at no cost, explaining the differences between an initial one-year fraud alert and an extended seven-year fraud alert for identity theft victims. It also explained that a credit freeze would prohibit a credit bureau from releasing a credit report without express authorization, though it could delay the approval of new credit applications. Contact information for all three major credit reporting bureaus was provided.

The university clarified its role and the scope of the incident through a detailed FAQ section. It confirmed that its systems were not impacted and reiterated that the vendors TIAA, NSC, and UHCSR were the affected parties. For students, it provided specific clarification regarding health insurance, noting that while UHCSR was the previous provider for CU Anschutz, Anthem Student Advantage became the new provider effective August 1, 2023. Therefore, only students enrolled in the UHCSR plan prior to that date were potentially affected. The university committed to continuing updates for the CU community as further developments emerged and provided contact information for campus information security offices for questions about keeping data safe. The incident served as a reminder of the cybersecurity risks posed by third-party vendors even when an organization's own direct systems remain secure.