First I would contact them, you have obviously done this and it didn't work since it happened again.
Second I would contact their major transit providers, assuming they aren't a major transit provider themselves.
If you share mutual transit providers then you will be most likely to get satisfactory results.
If you aren't a customer of their transit provider then you may not get anywhere.
Third you can contact ARIN to talk to the perpetrator and/or their transit providers.
This is one of their primary functions.
The final option is legal.
IANAL (usual disclaimer)
CMU probably has a legal department that may be able to request an injunction or file suit for damages.
People tend to forget that when prefixes are hijacked there is legal recourse after the fact.
Of course with the international nature of the internet legal recourse may be difficult or impossible.
In this case with a US based ISP, the legal remedy might be feasible.
This is long slow and doesn't help at all during an incident,
but it will probably keep it from happening again.
ISPs are businesses and when it hits the pocket book they pay attention.