We were notified on July 6, 2022, that customer data stored by one of our subcontractors was accessed by an unauthorized party on June 15, 2022. The information included customer names and addresses, Colorado Springs Utilities account numbers and in most cases, phone numbers and/or email addresses.
No sensitive financial data, such as social security numbers, bank account information or credit card numbers were compromised. Despite the limited nature of the information released, we felt it important to notify impacted customers whose information was in the accessed file. A letter will arrive via mail in the coming days to those impacted.
A data breach is the loss of sensitive, proprietary, or confidential information and is typically an event that requires notification according to statute. Due to the limited information that was accessed, this is not defined as a “data breach.” We chose to proactively notify customers of the disclosure of limited information in the interest of transparency.
Approximately 200,000.
We do not call or email customers asking for information. If you receive any such communication, do not respond, but instead call our Customer Service Center at (719) 448-4800.
You can also view additional tips to avoid scams and fraud on this webpage.
We received the accessed file and were able to review and evaluate all of the contents. The third party subcontractor who experienced the incident did not have access to sensitive financial information such as social security numbers or credit card numbers.
There is little that can be done with the accessed information on its own. The most likely threat would come from the unauthorized actor attempting to use the email or phone number to contact account holders requesting sensitive information - by posing as Colorado Springs Utilities, for example. This is why we remind our customers that we do not call demanding information such as credit cards, payment or social security numbers
Our systems were not affected by this incident. The disclosure of information was isolated to a subcontractor’s system.
The third-party subcontractor has already implemented system enhancements to protect the data we entrust them. They have addressed the policy requirements to manage our data as agreed upon in a secure manner.
Due to security interests, we are not releasing this information.
We provide only the minimum set of information required for a contractor to complete their assigned duties and limits the usage of such information to only those functions allowed in the contract. All contracts which include the need for our organization to provide sensitive data to an external party are required to include specific security requirements like usage restrictions, encryption strength / usage, user account restrictions, requirements for third party attestation of security practices, data storage and destruction requirements, and more.
We have a robust cyber security policy and security best practices in place to help prevent data loss and/or unauthorized access. We do not disclose information about you, except as necessary, to perform our utility business operations, sometimes with the help of vendors or business partners, or as permitted by law. To learn more, our privacy disclosure is available on our website.