The University of Colorado at Boulder today announced that it discovered three computers in the Division of Continuing Education and Professional Studies were compromised and that one of the computers contains private data (i.e. names, Social Security numbers, addresses, grades) of approximately 9,000 students and approximately 500 instructors.
Although at this time there is no reason to believe that the data on the computer has been accessed, the university will be contacting the affected students and instructors to provide guidance about how to protect their identities.
An analysis of the data compromise is being conducted by a computer forensics firm hired by the university. While this analysis is still in progress, it is believed that this data compromise affects some students who were enrolled in Division of Continuing Education and Professional Studies courses between 1997 and 2003, as well as some instructors employed by the division. The university will mail letters to affected parties by the end of next week.
"The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," said Chancellor G.P. "Bud" Peterson. "We will continue and strengthen our security efforts and hold our departments accountable for their success."
CU-Boulder IT security investigators on April 24 discovered a malicious file on the computers and began analyzing log files to determine the extent of the exposure and whether any information was accessed. The investigators are still trying to determine the intent of the malicious file and whether it allowed the perpetrator to gain access to any private data.
"My colleagues and I in Continuing Education regret and apologize for this unfortunate event. We are doing everything in our power to work with IT officials to assure the security of our computers and to remove the private data from them," said Dean of Continuing Education Anne Heinz.
Over the past few years, the CU-Boulder campus has stepped up efforts to increase security awareness and address IT security. These efforts have included:
o Launching a campus risk assessment process in 2005 to identify campus IT security risks and to locate and eliminate unnecessary databases of Social Security and credit card numbers;
o Switching from Social Security numbers to a student identification number system in 2005;
o Using a restrictive network firewall installed in August 2006 that has greatly reduced the campus's exposure to vulnerabilities;
o Conducting computer security training for all employees.
Students and faculty who believe they may have been affected by the compromise can find more information about protecting themselves following a data exposure at /.