CU-Boulder Reports Security Breach In College Of Arts And Sciences Advising Computer

December 15, 2006

University of Colorado at Boulder officials today announced that a server in the campus's Academic Advising Center was the subject of a computer attack.

CU-Boulder officials said they had begun the process of notifying 17,500 individuals that their personal information - including names and Social Security numbers - might have been exposed in the attack. CU-Boulder officials are continuing to determine the extent of information exposed.

Employees with CU-Boulder's Information Technology Services office discovered the attack on Dec. 8 and, following CU guidelines, began an investigation to determine how the system compromise occurred.

"The hacker apparently entered the server through a Web page," said Todd Gleeson, dean of CU-Boulder's College of Arts and Sciences, which houses the Academic Advising Center. "The information exposed contained the names and Social Security numbers of students who attended CU-Boulder orientation sessions from 2002 to 2004. We do not presently have any evidence that the data were actually accessed or used, and we are notifying the students affected."

In 2005, CU-Boulder ceased using Social Security numbers as administrative identifiers for faculty, staff, students and administrators.

CU-Boulder Vice Provost for Campus Technology Robert Schnabel said the attack was quickly discovered and assessed by ITS personnel. "Following our protocols, they immediately notified our campus ITS security office and the investigation began," said Schnabel.

Schnabel said the attack comes at a time when a comprehensive effort is under way on the Boulder campus to locate and remove existing personal data from departmental servers and to protect other sensitive data. He said ITS is piloting a new "sweeping" software utility called "Spider" that identifies personal data such as Social Security numbers that may still exist on a computer, so that the data can be quickly purged.

"Using this sweeping software is part of our continued effort to build a comprehensive information risk management program," said Schnabel.

Students who wish to know more about how to deal with identity theft can visit a special CU Web site at

main page ATTRITION feedback