The University of Colorado has declined to pay cybercriminals a $17 million ransom in order for the criminals not to publish stolen information on the dark web.
Several universities, including the University of Colorado, Yeshiva University, the University of Miami, the University of California system, Stanford University’s School of Medicine and the University of Maryland, Baltimore, recently confirmed that sensitive data had been accessed and shared on the dark web in connection to a cyberattack on IT company Accellion.
A vulnerability in Accellion’s file-sharing software, which many universities and companies use to securely share sensitive documents and data, was exploited by cybercriminals earlier this year.
At the University of Colorado, more than 300,000 university records, including personal information such as student transcripts and medical records, were compromised. The University of Colorado at Boulder was most heavily affected, although files from some other campuses were accessed.
The $17 million ransom demanded from the University of Colorado was reduced to $5 million, but the university does not intend to pay.
“We did receive demands that we decline to meet,” Ken McConnellogue, vice president of communications at the University of Colorado, told CBS4 in Denver. “We have also advised our users to not pay, which is consistent with the guidance that we received from the FBI.”
The university outlined steps it is taking to prevent identity theft for affected individuals in an April 9 update on its response to the attack.