Colorado Springs Utilities
Duration: 1 minute
Published on July 14, 2022
We were notified on July 6, 2022, that customer data stored by one of our subcontractors was accessed by an unauthorized party on June 15, 2022. The information included customer names and addresses, Colorado Springs Utilities account numbers and in most cases, phone numbers and/or email addresses.
No sensitive financial data, such as social security numbers, bank account information or credit card numbers were compromised. Despite the limited nature of the information released, we felt it important to notify impacted customers whose information was in the accessed file. A letter will arrive via mail in the coming days to those impacted.
Is this considered a data breach?
A data breach is the loss of sensitive, proprietary, or confidential information and is typically an event that requires notification according to statute. Due to the limited information that was accessed, this is not defined as a “data breach.” We chose to proactively notify customers of the disclosure of limited information in the interest of transparency.
How many accounts were in the file that was accessed?
Approximately 200,000.
What if this unauthorized party calls me or emails me?
We do not call or email customers asking for information. If you receive any such communication, do not respond, but instead call our Customer Service Center at (719) 448-4800.
You can also view additional tips to avoid scams and fraud on this webpage.
How do you know more information wasn’t released?
We received the accessed file and were able to review and evaluate all of the contents. The third party subcontractor who experienced the incident did not have access to sensitive financial information such as social security numbers or credit card numbers.
What could be done with the information that was accessed?
There is little that can be done with the accessed information on its own. The most likely threat would come from the unauthorized actor attempting to use the email or phone number to contact account holders requesting sensitive information - by posing as Colorado Springs Utilities, for example. This is why we remind our customers that we do not call demanding information such as credit cards, payment or social security numbers
What systems were affected in this incident?
Our systems were not affected by this incident. The disclosure of information was isolated to a subcontractor’s system.
What has been done by the vendor to protect my information?
The third-party subcontractor has already implemented system enhancements to protect the data we entrust them. They have addressed the policy requirements to manage our data as agreed upon in a secure manner.
Who was the subcontractor?
Due to security interests, we are not releasing this information.
How do you keep information safe when using contractors who have our data?
We provide only the minimum set of information required for a contractor to complete their assigned duties and limits the usage of such information to only those functions allowed in the contract. All contracts which include the need for our organization to provide sensitive data to an external party are required to include specific security requirements like usage restrictions, encryption strength / usage, user account restrictions, requirements for third party attestation of security practices, data storage and destruction requirements, and more.
What does Colorado Springs Utilities do to protect my information?
We have a robust cyber security policy and security best practices in place to help prevent data loss and/or unauthorized access. We do not disclose information about you, except as necessary, to perform our utility business operations, sometimes with the help of vendors or business partners, or as permitted by law. To learn more, our privacy disclosure is available on our website.