Hackers accessed 16 years of Colorado public school student data in June ransomware attack

Every student who attended Colorado public schools between 2004 and 2020 had their personal information accessed by criminal hackers.

The Colorado Department of Higher Education (CDHE) published the bombshell revelation in a notice on Friday, saying it was attacked by a ransomware gang during an eight day period in mid-June. Also affected are certain cohorts of higher education students, as well as some recipients of General Education Development certificates and teacher’s licenses.

The governor’s office and the Office of Information Technology did not respond to requests for comment about which ransomware group targeted the CDHE and whether a ransom was paid. No ransomware gang has taken credit for the incident.

Officials at CDHE discovered the attack on June 19 and have been investigating the incident since, discovering that the hackers copied data from their system.

“CDHE took steps to secure the network and has been working with third-party specialists to conduct a thorough investigation into this incident,” the department wrote, saying it had “worked to restore systems and return to normal operations.”

Some of the impacted records include names, Social Security numbers, student identification numbers and “other educational records” that ranged from bank statements and bills, used for proof of address, to copies of government IDs, complaints and police reports.

The department did not say how many people were affected in total, but explained that they include anyone who:

• Attended a Colorado public high school between 2004-2020
• Attended a public institution of higher education in Colorado between 2007-2020
• Obtained a Colorado K-12 public school educator license between 2010-2014
• Participated in the Dependent Tuition Assistance Program from 2009-2013
• Participated in the Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017
• Obtained a GED between 2007-2011

CDHE said it plans to notify those affected by mail or email but is still investigating the attack. Victims are being offered two years of identity theft protection services.

Colorado residents have dealt with a wave of ransomware attacks and wide-ranging data thefts in the last year. Students in the state recently learned that Colorado State University (CSU) had data stolen during the Clop ransomware gang’s exploitation of a popular file transfer service.

That breach involved the names, Social Security numbers, demographic information and more of “prospective, current, and former CSU students and current and former employees.”

Like dozens of organizations across the U.S., CSU was exposed to the vulnerability through a range of vendors, including TIAA, National Student Clearinghouse, Corebridge Financial and Genworth Financial.

The MOVEit breaches also affected Colorado’s Department of Health Care Policy & Financing, with the state telling residents in late June that anyone who has “applied for or have been covered anytime since 2015 by Health First Colorado or Child Health Plan Plus” needs to protect themselves.

In March, Denver Public Schools similarly announced a data breach affecting all of their 15,000 workers involving personal information like bank account numbers and driver’s license numbers accessed by hackers in December and January.

Names and Social Security numbers of current and former participants in the district’s health plan; employee fingerprints, bank account numbers, student identification numbers, driver’s license numbers, passport numbers and more were accessed by hackers for a month in December and January.