Universities Affected by IT Security Company Data Breach

Several universities appear to be the victims of a data breach connected to vulnerabilities in file transfer software sold by IT security company Accellion.

Files containing sensitive information from Stanford University; the University of Maryland, Baltimore; the University of Miami; the University of California, Merced; the University of Colorado and Yeshiva University were recently discovered on the dark web, tech news website Gizmodo reported Thursday.

A statement from the University of California system published Wednesday advised faculty members, students and staff members at all UC campuses not to respond to emails stating, "your personal data has been stolen and will be published."

"We believe the person(s) behind this attack are sending threatening mass emails to members of the UC community in an attempt to scare people into giving them money," the UC statement said. "Anyone receiving this message should either forward it to your local information security office or simply delete it."

The universities' data files were shared on a website called Clop, which is known to share snippets of stolen information and then demand a ransom in return for not publishing the rest of the stolen data.

"Clop has posted data relating to multiple universities most, if not all, of which have already confirmed their breaches were Accellion-related," said Brett Callow, threat analyst at cybersecurity company Emsisoft, in an email. "Clop is publishing the data from the Accellion breach on a staggered basis and is still adding victims, so it's possible more universities may have been affected."

A vulnerability in Accellion's file transfer software was exploited by cybercriminals earlier this year.