Cyber Incident Victim: Colorado Springs Utilities

On June 15, 2022, an unauthorized party accessed a system belonging to an unnamed subcontractor used by Colorado Springs Utilities, compromising customer data. The utility discovered this incident on July 6, 2022, and began notifying approximately 200,000 affected customers via email on July 13. Exposed information included customer names, physical addresses, Colorado Springs Utilities account numbers, and—for the majority of impacted individuals—phone numbers and email addresses. The utility emphasized that the accessed data did not include sensitive elements such as Social Security numbers, financial account details, or payment card information. Due to the absence of these legally protected data categories, Colorado Springs Utilities stated the event did not meet the statutory definition of a "data breach" under applicable regulations. Nevertheless, the organization proceeded with proactive notifications to inform customers about the exposure of their non-sensitive information.

Colorado Springs Utilities declined to publicly identify the subcontractor involved, citing security concerns as justification for withholding this detail. The utility confirmed the subcontractor had implemented unspecified system enhancements following the incident to strengthen protections for entrusted data. Additionally, the subcontractor revised its policies to ensure compliance with previously agreed-upon security standards for managing Colorado Springs Utilities’ information. No ransomware, data extortion attempts, or further malicious activity stemming from the incident were reported in the disclosure. The utility’s communications focused on transparency regarding the scope of data exposure while reiterating that no critical personally identifiable information or financial data required protective measures like credit monitoring under the circumstances.