Although Colorado government agencies are required to report to the attorney general any data security breach within 30 days of its discovery, the state Department of Higher Education instead kept the ransomware attack on its servers quiet for several more weeks, according to department emails shared with The Denver Gazette and a copy of the report it filed with the Attorney General's Office.
The department only began to reveal the extent of the breach July 28, six weeks after it was discovered June 14, when data information officials from several Colorado universities learned of it during a meeting in which a mid- level manager at the state agency mistakenly mentioned it, according to those emails.
But the notice to the Attorney General's Office and the public didn't happen for another week after that, records show.
Department officials did not immediately respond to a request for comment from The Denver Gazette to explain the time lag.
Weiser's office said it had no comment about the time lag.
The breach involved Social Security numbers and other personal information, such as passport numbers for students at public higher education institutions statewide between 2007 and 2020, as well as public high school students between 2004 and 2020, the department said at the time.
The ransomware attack also affected anyone with a K-12 public educator's license from 2010 to 2014, anyone who participated in the Dependent Tuition Assistance Program from 2009 to 2013, was part of the Colorado Department of Education's Adult Education Initiative programs from 2013 to 2017 or obtained a GED between 2007 and 2011.
The department has not publicly disclosed how many people might have been affected. It also said it planned to notify all of them, as the law requires, to ensure they knew of an offer for two years of identity theft protection services.
It's unclear whether the department paid any ransomware extortion fee. Attackers sometimes require payments, frequently in cyber currency, to unlock whatever systems they might have highjacked.
Emails surrounding the data breach are at the crux of an open records fight between the Public Trust Institute and Colorado Department of Higher Education. PTI obtained dozens of emails related to the breach, but the department withheld 28 others, claiming it had a right not to disclose them.
CDHE said the undisclosed emails contain frank discussions about the cyber attack that are protected because they are part of internal deliberations. Disclosing its contents probably would prevent others from having the open discourse that's necessary for government to function, the department reasoned.
PTI, a nonprofit, argues that a Denver district court judge should review the records to ensure their contents are being withheld properly.
"These are public records related to a security breach of public data," PTI's lead counsel, Suzanne Taheri, argued in court records. "That alone is a matter of public concern, and the public has a right to know how the agency responds to the breach. Colorado law also imposes further duties on state agencies and the public has a right to know if CDHE complied with the law."
The data breach occurred June 11 but CDHE didn't discover it until June 14, records show. By June 21, emails were circulating within the department to determine the extent of the damage.
On June 22, CDHE staff had crafted "some language for our current situation" in an email that was for "internal use only."
"On June 14, CDHE staff became aware of suspicious activity on our computer systems," according to the email from Megan McDermott, CDHE's senior director of communications. "We identified encryption on some files related to ransomware on Monday, June 19. We worked quickly to lock down our system and push out security patches to our devices. We are using backups to rebuild our network and restore our systems."
The email concludes: "In the interest of this investigation, please keep this confidential."
Somehow, though, the chief information security officer at Metropolitan State University of Denver learned of the breach from a CDHE email ostensibly related to fiscal matters that was forwarded to him on June 22, the email shows.
"I'm not on your normal distribution lists, but I'm being asked to track and report on this as part of our incident response processes," Mike Hart wrote Lauren Gilliland, CDHE's lead finance analyst. "I'm especially interested in any potential risk to MSU Denver confidential information, or any potential risk of spread to our systems via existing communications channels."
It's unclear what, if anything, came next. A related email was blacked out.
Hart referred The Denver Gazette to public information officials at MSU. They have not responded to requests for comment.
Gilliland did not respond to efforts to reach her.
Emails show that another university official, Naropa University President Charles Lief, was told of the breach July 11 by CDHE Executive Director Angie Paccione in a conversation, apparently weeks before the department let anyone else know.
Lief explained through an assistant that the conversation was a regular call he participates in with CDHE, "along with four or five largest private school presidents" and that the "potential impact of a data breach was noted during the course of the meeting."
Students from Naropa or any other private university in Colorado would not have been affected by the data breach unless they had also attended a public institution or were part of the specific programs, according to CDHE's announcement.
Paccione acknowledged a Denver Gazette request for comment but offered no response.
Whatever internal secrecy that was being maintained, however, ended July 28, when Maggie Yang, CDHE's senior director of data systems, let slip in a meeting with outsiders that there had been a ransomware attack.
That caused CDHE to launch a massive systemwide notification plan that would include financial aid directors, chief information officers and university presidents across Colorado, according to an email that laid it out by CDHE's then-chief operating officer.
"I apologize that I shared more than I should in a meeting this morning and lead to all these extra work for you all," Yang emailed her colleagues. "I cannot reverse what I already shared but if there is anything I can do to help, please let (me) know."
One notification assignment was for someone to contact David Capps, University of Colorado's chief information security officer.
"I think you can tell him that the meeting this morning was not intended to discuss this issue," COO Inta Morris wrote six others, including Paccione and Yang. "Of course, we will share with him all further information pertaining to this incident."
Morris' note said they had hired an outside firm to help: Atom Creek, a Denver-based computer services firm, according to text messages shared with The Denver Gazette. Online state spending records show CDHE paid Atom Creek more than $83,000 in July. It's unclear how much of that involved the data breach.
Neither Capps nor Morris responded to Denver Gazette efforts to reach them.
Despite the time lag, Polis' director of operations and cabinet affairs, Jesse Marks, emailed others in the governor's office: "Well done on the crisis management, team. I am really grateful for the close coordination."
After the public announcement Aug. 4, Paccione sent an email to CDHE staff praising their work.
"We have legal and statutory obligations when something like this happens, and we met every single one of them!" Paccione wrote. "We were targeted by a highly sophisticated threat actor. ... While we have successfully hit this milestone of informing the public and our partners, we still have a lot of work to do and some data may be lost forever."
Attorney General's Office spokesman Lawrence Pacheco on Thursday confirmed that the data breach team there was notified of the attack only through the state's online reporting portal Aug. 4, not from anyone at CDHE.
©2023 The Gazette (Colorado Springs, Colo.). Distributed by Tribune Content Agency, LLC.
