The Colorado Department of Higher Education waited more than a month to report a massive data breach to the state attorney general’s office, evading state law, according to an investigation by the Denver Gazette.
As in many states, government agencies in Colorado are required by law to report any data security breach within 30 days of discovery. Instead, the state’s Department of Higher Education remained tight-lipped about a ransomware attack on its servers that was first discovered on June 14, the Denver Gazette reported.
The Gazette obtained emails and records that showed officials from several state colleges first learned of the ransomware attack during a meeting on July 28 when a “mid-level manager at the state agency” mistakenly mentioned it. The Colorado Department of Higher Education then waited roughly another week to provide notice to the public and Colorado Attorney General, according to the report.
“While this incident is still part of an ongoing criminal and internal investigation, CDHE knows that an unauthorized actor(s) accessed CDHE systems between June 11 and June 19, 2023 and that certain data was copied from the CHE systems during this time,” the CDHE said in a statement publicly announcing the cyberattack on Aug. 4.
In that announcement, the CDHE said the data breach involved personal information such as names, Social Security numbers, student identification numbers and education records.
Those potentially impacted include:
- Those who attended a public institution of higher education in Colorado between 2007-2020
- Those who attended a Colorado public high school between 2004-2020
- Those with a Colorado K-12 public school educator license between 2010-2014
- Those who participated in a Dependent Tuition Assistance Program between 2009-2013
- Those who participated in the Colorado Department of Education’s Adult Education Initiative programs between 2013-2017
- Those who obtained a GED between 2007-2011
Department officials did not publicly disclose how many people they believed were affected by the breach, but said the department will provide identity theft protection services through Experian for two years to affected individuals.