The University of Colorado is investigating an incident of unauthorized access to the Division of Continuing Education's computer server that contained personal information of approximately 1,000 students and conference attendees, according to preliminary findings.
Some of the sensitive information present on the server included Social Security numbers, credit card numbers, student identification numbers, addresses and dates of birth, creating a potential identity theft problem for those affected. The types of sensitive information that could have been viewed vary by student and program group.
"We are very disturbed to learn about this breach of our computer security," said Anne Heinz, dean of Continuing Education. "We are working closely with information technology professionals and security personnel to analyze the situation so that we can provide accurate information to our students. At the same time, we are taking steps to prevent this type of attack from happening again."
The breach was discovered on the morning of Oct. 19. When the potential problem was identified, the server was isolated and taken offline. Analysis was conducted immediately to determine what information might have been accessed.
There is no evidence that personal data were accessed or extracted. However, as a precaution, the university is in the process of contacting everyone whose information was stored on this server, with instructions on how to protect against potential fraud and identity theft.
Those who may be affected include a limited number of current and former Continuing Education noncredit students; some individuals who submitted applications for a noncredit Continuing Education course or program but never attended; some students who applied for Continuing Education scholarships; and some students who registered for exams through Continuing Education.
Dan Jones, CU-Boulder information technology security coordinator, said, "We understand the importance of maintaining the privacy of sensitive data, including information about our students. We take this matter very seriously and are working to ensure that our policies and security measures promote the integrity and confidentiality of these records."
The university has set up an online resource page at that can help those who might be affected determine what steps they should take next to protect their identity. Some of these steps include contacting credit reporting agencies and credit card companies. The university already has notified affected credit card companies about the incident and the credit card numbers in question have been placed on a watch list.
Other universities recently affected by similar attacks include the University of Texas at Austin, New York University, University of California, San Diego, University of California, Berkeley, and Purdue University.