The University of Colorado, its departments, and some individuals have received extortion demands related to a cyberattack that compromised more than 310,000 records, including student and medical information, and some Social Security numbers. 

Some of the stolen data has already been posted on the dark web and the attackers have threatened to post more if their demands are not met. In recent days, those demands have “ramped up,” said Ken McConnellogue, vice president for communications at the University in an email statement to The Denver Gazette.

“The university does not intend to do so, following guidance from the FBI,” officials said in the release. “Paying would not ensure that data is not posted, now or in the future, or that there would not be additional demands.”

In response to sensitive information being stolen including grades, transcript data, student ID numbers, visa status, university financial account information and more, the university is providing credit and identity monitoring, fraud consultation and identity theft help to those impacted by the attack. 

CU Boulder’s campus was the hardest hit in the attack, but its Denver campus was also affected, according to the release. 

University officials learned about the cyberattack on its vendor Accellion — a cybersecurity company — on Jan. 25, which prompted officials to shut down its service immediately.

Accellion’s software allows the university to transfer large and sometimes sensitive files to different departments and sometimes other campuses with CU’s system.

CU is among at least 10 universities and 50 other organizations that were affected by the attack, McConnellogue said. 

Jose Sanchez, a tier 1 technical support specialists with Avast, a cybersecurity company, said the best way large corporations or universities can protect themselves from cyberattacks through a third-party vendor is by having a firewall in place.

“Usually we’ll recommend a third-party fire wall, if you can,” Sanchez said. “Some softwares don’t install the actual firewall on servers, so we recommend having a third party one, just as an extra backup.

Additionally, Sanchez recommended changing administrative passwords frequently, frequently run anti-virus scans on computers and services and to have the latest software available. 

According to Accellion’s third-party security assessment performed by Mandiant, the breach in December 2020 and January 2021 c ame due to vulnerabilities within Accellion’s code. 

The computer code since been fixed with a newly developed patch by Accellion, according to the report. 

Although the University wasn’t directly attacked, officials said they are in the process of completing a “lessons learned exercise” to improve future practices.