Colorado Dept of Higher Education Reports June 2023 Ransomware Attack
8 min read“Governmental entities require residents to provide personally identifying information to access programs and services, receive benefits, and more. If we are going to require our residents give us their information, we have a duty to protect it.” – Jessica Campbell-Swanson, Board of County Commissioners, District 2, Arapahoe County, Colorado
According to an August 4, 2023 official release, on June 19, 2023, the Colorado Department of Higher Education (CDHE) discovered that a threat actor had gained unauthorized access to its systems between June 11 and June 19 and copied data including students’ names, student identification numbers, and social security numbers. The department described the breach as a “cybersecurity ransomware incident.” A ransomware attack is a “type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access,” according to the National Institute of Standards and Technology (NIST) The FBI advises victims of ransomware attacks not to pay ransoms, as there is no guarantee that copied data will not be disclosed or sold at a later date. At this time, it is unclear whether the department paid the ransom. The CDHE is “working with third-party specialists to conduct a thorough investigation into the incident.” As a part of the investigation, the department is reviewing records and will notify potentially impacted individuals by mail or email once the investigation is complete. According to department officials, the incident remains part of an internal and criminal investigation.
In response to this attack, the CDHE is conducting a review of its policies and procedures and plans to implement additional cybersecurity safeguards to mitigate the risk of future attacks. Additionally, the department is providing impacted individuals with two years of free credit monitoring and identity theft protection through multinational consumer credit reporting company, Experian.
Potentially Impacted Individuals:
- Individuals who attended a public institution of higher education in Colorado between 2007-2020
- Individuals who attended a Colorado public high school between 2004-2020
- Individuals with a Colorado K-12 public school educator license between 2010-2014
- Individuals who participated in the Dependent Tuition Assistance Program from 2009-2013
- Individuals who participated in Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017
- Individuals who obtained a GED between 2007-2011
While it doesn’t affect municipal governments directly, the attack was certainly a wake-up call for local officials to assess and improve their own cybersecurity plans, which most major metropolitan counties’ technology departments already have in place.
In a statement Phil Savino, the Technology Director for the South Denver metro county, Arapahoe County, said, “Our Cybersecurity Manager has developed and fostered relationships with our partners in the State of Colorado, including the Department of Education, Federal partners at CISA (Critical Infrastructure Security Agency), and DHS (Department of Homeland Security) and all 64 counties in Colorado over the last three years, gaining the trust and respect of our mutual partners.”
Savino added, “The breach at the Colorado Department of Education doesn’t affect Arapahoe County directly, but it is possible that it affects Arapahoe County’s residents indirectly through the information that was stolen.”*
“The CDHE ransomware attack and subsequent breach highlight the responsibility of information-holding entities like governments to take our cybersecurity seriously,” acknowledged Jessica Campbell-Swanson**, who represents District 2 on the Board of County Commissioners in Arapahoe County. “Governmental entities require residents to provide personally identifying information to access programs and services, receive benefits, and more. If we are going to require our residents give us their information, we have a duty to protect it.”
There are many areas that local officials should consider when securing systems and data, and Arapahoe County has taken a proactive approach to cybersecurity. According to Savino, “Not only do we stay up to date on all software updates, but we also implement quarterly security training for all county employees and conduct internal and external penetration testing, vulnerability scanning, patch management, and internal/external auditing. We have taken a proactive approach to reducing the potential for negative impacts on data security, operations, and legal compliance to enhance the overall decision-making process to assess third-party vendors for risk and security before they are procured by the county. These assessments ensure that the solutions align with our organization’s security, regulatory, operational, and financial requirements.”
However, local and state officials must remember that cybersecurity threats are constantly and rapidly evolving. Savino agreed, “In the coming months, Arapahoe County will move forward with adopting StateRAMP into our vendor assessment process which the State of Colorado secured to assess all third-party vendors before contracting with a solution. StateRAMP, like FedRAMP, will require that all vendors meet minimum security requirements through a process like ours but take it a step further by assisting the vendors to become StateRAMP certified. Arapahoe County Government remains diligent in the continued improvement of our cyber security posture.”
“I am proud of the steps Arapahoe County’s Technology Department has made to protect our residents and their information against such attacks and hope we continue to be successful in preventing breaches as attackers evolve and create new methods of attacking systems,” declared Campbell-Swanson.
Read the Full Statement from Arapahoe County’s Technology Director, Phil Savino
Information on Credit Monitoring and Identity Theft Protection from the CDHE Release
Enroll in Monitoring Services
To help protect an individual’s identity, CDHE is offering complimentary access to Experian IdentityWorksSM for 24 months.
Please note that Identity Restoration is available to potentially impacted individuals for 24 months from the date of this notice. The Terms and Conditions for this offer are located at https://www.experianidworks.com/restoration.
While identity restoration assistance is immediately available to individuals, we also encourage to activate the fraud detection tools available through Experian IdentityWorks as a complimentary 24-month membership. This product provides individuals with superior identity detection and resolution of identity theft. To start monitoring personal information, please follow the steps below:
- Ensure that you enroll by November 30, 2023 (Code will not work after this date.)
- Visit the Experian IdentityWorks website to enroll: https://www.experianidworks.com/credit
- Provide your activation code: QS3PVK3NQ3
If you believe there was fraudulent use of your information and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).
If you have questions about the product, need assistance with Identity Restoration, or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian’s customer care team at (833) 301-1346 by November 30, 2023. Please be prepared to provide engagement number B100473 as proof of eligibility for the Identity Restoration services by Experian.
ADDITIONAL DETAILS REGARDING 24-MONTH EXPERIAN IDENTITYWORKS MEMBERSHIP
A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:
- Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.
- Credit Monitoring: Actively monitors Experian file for indicators of fraud.
- Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non-credit related fraud.
- Experian IdentityWorks ExtendCARETM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
- $1 Million Identity Theft Insurance: Provides coverage for certain costs and unauthorized electronic fund transfers.
*I, personally, fall into both of these groups, having attended multiple public high schools in Arapahoe County beginning in 2004 and graduating from Cherry Creek High School in 2007, as well as attending the University of Colorado in Boulder from 2007 to 2010.
**Statements provided by District 2 Commissioner Jessica Campbell-Swanson reflect her own views and not those of the Board of County Commissioners for Arapahoe County.
2 thoughts on “Colorado Dept of Higher Education Reports June 2023 Ransomware Attack”