[BreachExchange] Spreadsheet snafu exposes private data of 30, 000 Colorado state employees

Destry Winant destry at riskbasedsecurity.com
Thu Oct 15 10:32:53 EDT 2020


https://coloradosun.com/2020/10/14/personal-data-security-colorado-state-employees-breach-pii

The personal data of the state’s 30,000 employees was inadvertently
exposed earlier this month when a master spreadsheet was shared with
benefits administrators at Colorado higher education institutions.

After learning of the information breach on Oct. 7, the Colorado
Department of Personnel and Administration immediately asked the 38
benefits administrators to delete the email and spreadsheet, which
contained social security numbers, birth dates and other sensitive
information of state employees eligible for short-term disability and
do not all work at their schools.

There was no evidence “information was misused or compromised in any
fashion,” according to a letter sent to the affected state employees
by Kara Veitch, executive director of the Colorado Department of
Personnel and Administration.

As is required by law, an organization that exposes private personal
information must notify the victims and share ways to protect their
private information. The letter provided numbers and links to the
three credit reporting agencies that consumers can use to track
potential identity theft activity.

Doug Platt, a spokesman for the Department of Personnel and
Administration, said the administrators who received the spreadsheet
are used to handling sensitive data and regularly receive similar
information from the state.

The department has also taken steps to ensure a similar breach doesn’t
happen again, but Platt did not have more information on the process.

“We believe it to be a very low risk release of information because it
went to benefit administrators only within state government
institutions and departments,” Platt said. “They’re accustomed to
handling this information, and we addressed the release immediately.”

Want exclusive political news and insights first? Subscribe to The
Unaffiliated, the political newsletter from The Colorado Sun. Join now
or upgrade your membership.

The incident doesn’t seem too concerning, said James E. Lee, Chief
Operating Officer at the Identity Theft Resource Center, which tracks
data breaches nationwide and has seen a decline in breaches so far in
2020.

“It’s not common, but it does happen,” Lee said in an email. “It used
to be more frequent in the early days of data breach sensitivity.
There is a relatively low risk in this specific case since the
information was not sent to people outside the state government.”


More information about the BreachExchange mailing list