Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Colorado Calls for Inquiry Into Delayed Data Breach Reporting

The Department of Higher Education waited eight weeks to notify the attorney general’s office of a data breach that affected thousands of personal records from the last two decades, despite state law requiring a 30-day notice.

Colorado House Republican leaders on Monday, Oct. 30, called for an investigation into why Colorado's higher education agency allegedly failed to timely report a massive data breach this summer.

In a two-page letter hand-delivered to Gov. Jared Polis and Attorney General Phil Weiser, five state representatives also urged an inquiry into why thousands potentially affected by the breach still have not yet been told individually, as the law mandates.

"I am extremely concerned that the state took so long to notify the public of this breach and the failure to contact potentially impacted individuals in a timely manner appears to be in direct violation of the law," stated the letter from GOP leadership, a copy of which was provided to The Denver Gazette.

The letter was signed by House Minority Leader Mike Lynch, R- Wellington, and Republican Reps. Rose Pugliese, the House assistant minority leader, Mary Bradfield of Colorado Springs, Don Wilson of Monument and Anthony Hartsook of Parker. Bradfield, Wilson and Hartsook are members of the House Education Committee.

Polis' office refused to comment on the letter because of Colorado Department of Higher Education's "ongoing investigation" into the breach. Weiser's office said it had not yet seen the letter.

The request comes on the heels of a Gazette Denver report on Saturday that the Colorado Department of Higher Education, which oversees the state's post-secondary system, waited eight weeks to notify the AG's office about a data breach that affected thousands of records containing personal data going back two decades.

State law requires the breach to be reported no later than 30 days after it's discovered.

Weiser's office on Monday said the 30-day requirement begins to toll after an agency determines personally identifiable information was compromised, not just that a security breach occurred. The higher education department said that happened on July 6, even though it discovered the breach ocurred nearly three weeks earlier.

The department on Monday said it gave public notice "as required by law" on Aug. 4 but did not reference the time it took to do that. It also said it has sent letters to "those individuals for whom we did have contact information."

The ransomware attack began June 11 was discovered on June 14 and lasted until June 19, records obtained by The Denver Gazette show. CDHE has not said how many people were affected but said it involved personal data for public high school and college students dating to 2004, as well as K-12 educators licensed between 2010 and 2014 and anyone who obtained a GED from 2007 through 2011.

CDHE reported the breach to the AG's office on Aug. 4, the same day it made a public announcement about it. The agency on Monday, however, said it discovered the breach on June 19.

All of that happened only after a mid-level manager at CDHE mistakenly referred to the breach during a phone conference a week earlier that included some university officials who weren't aware of it.

On July 28, Maggie Yang, CDHE's senior director of data systems, let slip in a meeting with outsiders that there had been a ransomware attack.

That caused CDHE to launch a massive systemwide notification plan that would include financial aid directors, chief information officers and university presidents across Colorado, according to an email that laid it out by CDHE's then-chief operating officer.

"I apologize that I shared more than I should in a meeting this morning and lead to all these extra work for you all," Yang emailed her colleagues. "I cannot reverse what I already shared but if there is anything I can do to help, please let (me) know."

The mistake kicked off a series of statewide emails by CDHE telling college and university officials about the breach and what the agency was doing about it.

CDHE said its "notification included steps that individuals can take, including contacting a call center and a code to use for 24-month complimentary credit monitoring. ... The investigation into the data breach is ongoing."

In calling for an investigation, the representatives said more immediate steps should have occurred given the size of the breach.

"This appears to be a significant data breach affecting thousands of Colorado students, teachers and administrators. The lack of transparency and timely communication related (to) this event is alarming," the representatives' letter goes on. "The failure of the state to disclose this information to the public and the affected students, teachers and others involved in the data breach raises serious questions that require state leaders' immediate attention."



(c)2023 The Gazette (Colorado Springs, Colo.) Distributed by Tribune Content Agency, LLC.

TNS
TNS delivers daily news service and syndicated premium content to more than 2,000 media and digital information publishers.