Colorado Department of Higher Education (CDHE) has suffered a massive data breach leaking sensitive personal information of current and former students and educators spanning over a decade.
According to a data breach notification on the CDHE website, the leak stemmed from a ransomware attack that impacted the department’s computer systems on June 19, 2023.
“On June 19, 2023, CDHE became aware it was the victim of a cybersecurity ransomware incident that impacted its network systems,” CDHE said.
CDHE said it took steps to secure its systems, engaged external cyber experts, launched an investigation, and was working to restore normal operations.
CDHE data breach impacted diverse groups of students and educators
The probe determined that the data breach impacted the following groups of current and former students and educators:
Those who attended a public institution of higher education in Colorado between 2007-2020.
Individuals who attended a Colorado public high school between 2004-2020.
Staff members who held a Colorado K-12 public school educator license between 2010-2014.
Participants of the Dependent Tuition Assistance Program from 2009-2013.
Individuals who participated in Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017.
Students who obtained a Colorado Department of Higher Education (CDHE) GED between 2007-2011.
The CDHE data breach exposed the victims’ full names, social security numbers, birth dates, addresses, proof of address, photocopies of government IDs, and identity theft police reports or complaints in some cases.
Given the scale of the data breach, the exact number of victims is still under assessment. CDHE has promised to notify all victims it has their contact details and offered 24 months of complimentary credit monitoring and identity theft protection services with Experian.
“Individuals should review account statements and monitor free credit reports to detect suspicious activity and errors. CDHE encourages impacted individuals to enroll in credit monitoring services through Experian,” the data breach notification recommended.
Additionally, victims should remain vigilant against incidents of identity theft and fraud, and potential phishing attacks.
No ransomware group has taken responsibility for the CDHE data breach, and the department has not disclosed whether any ransomware demands were made.
Attackers usually drop ransom notes stating the amount and threatening to leak the stolen information unless the victim pays a ransom.
“Thirteen years of data scooped up in a single breach,” said Carol Volk, EVP at BullWall. “We do not know what defenses the CDHE had in place, but it is imperative that Institutions implement the full scope of defenses, as the abuse of data they hold can harm generations of students.”
The education sector is the top target for ransomware attacks
Learning institutions are popular targets for ransomware attacks, given the vast amount of personal information they hold and the devastating impacts disruptions have on learning activities, parents, and students.
“Higher education institutions handle vast amounts of valuable data from a diverse user base but lack the resources and technology to effectively defend against cyber-attacks, making them attractive targets for cybercriminals,” said Emily Phelps, Director at Cyware.
According to The State of Ransomware in Education 2023 report by cybersecurity firm Sophos, the education sector recorded the highest rate of ransomware attacks. Over three-quarters of lower education (80%) and higher education (79%) institutions have suffered a ransomware attack in 2023, up from 56% and 64%, respectively, in 2022.
In December 2022, the US Government Accountability Office (GAO) directed schools to coordinate cybersecurity efforts with the FBI, DHS, and SLTT entities.
“Collaboration, public-private partnerships, and increased threat intelligence sharing across public entities can lead to more robust, comprehensive defenses, improving resilience and protecting both the organizations and their people,” Phelps noted.
“Ransomware attacks, though unfortunate, provide essential learning opportunities for higher education institutions to review incident response procedures and bolster their security posture,” according to Kevin Kirkwood, Deputy CISO at LogRhythm. “To proactively defend against such threats, investing in cybersecurity solutions that detect malicious behavior and enable network infrastructure to block access attempts is the first step.”
Kirkwood recommended real-time monitoring, enhancing detection and response capabilities, and prioritizing authentication and access controls.
“Yes, schools are doing their best to stand up the best preventative security tools they can, but there will never be [the] budget or resources to stay ahead of the attackers. Ensuring tools are in place to contain an active attack is where education should focus next,” Volk concluded.