Although Colorado’s top cop is tasked with safe guarding the state’s data security laws, Attorney General Phil Weiser ostensibly does not know how frequently cyber-attacks are reported to his office.

After JeffCo Public Schools reported a Halloween cyber threat, The Denver Gazette inquired with the AG’s office about the frequency of such attacks.

Lawrence Pacheco, an Attorney General’s Office spokesman, did not know and required The Denver Gazette to submit a Colorado Open Records Act, or CORA, request to learn how many threats are reported annually.

That CORA request is still pending.

As a result, it is yet unknown how many data breaches have occurred among Colorado agencies.

Under Colorado law, should a security breach affect 500 individuals or more, public agencies must notify the Attorney General’s Office as well as those who were affected within 30 days, if it is determined personal information has or will be misused.

JeffCo Public Schools is the second largest school district in Colorado behind Denver with roughly 14,000 employees and more than 65,000 students on 140 campuses.

Law enforcement is investigating a cyber-attack after JeffCo Public Schools staff received an email on Oct. 31 from a hacker group called “SingularityMD” that claims to have stolen a 40-gigabyte dataset that includes sensitive, private information on students and staff.

Hundreds of JeffCo parents received a copy of the SingularityMD threat, which The Denver Gazette has obtained.

School officials have not updated the public on the status of the hack since Nov. 7.

The Colorado Department of Law, led by the attorney general, is responsible for enforcing data security laws applicable to private and government agencies.

Consumer protection laws in Colorado require agencies subject to the law to take reasonable steps to protect private information and to properly dispose of it when no longer needed.

The Colorado Privacy Act also requires agencies to have appropriate technical and organizational data security safeguards.

“While each entity’s data security needs and practices may differ, there are some common best practices that most, if not all covered entities can implement,” according to the Colorado Attorney General’s Office.

The Denver Gazette is aware of at least three cyber incidents this year, including the JeffCo hack.

Last month, The Denver Gazette reported that officials at the Colorado Department of Higher Education had failed to flag law enforcement about a massive data breach it had discovered in mid-June.

And in January, Denver Public Schools officials discovered the personal information for as many as 15,000 employees was stolen in a cybersecurity incident.

Kimberly Eloe Mahugh, a district spokesperson, did not respond to a phone call Tuesday seeking comment. A staffer in the communication department at JeffCo, meanwhile, said the district “doesn’t have any additional information at this time except for what is on the website.”

If JeffCo officials know the extent of the cyber threat the school district is facing, they have not yet disclosed it.

Emails from the purported hacker group SingularityMD – which has also claimed responsibility for the cyber-attack on Clark County School District in Nevada – claim to have stolen staff phone numbers and home addresses as well as students’ birthdates, emergency contacts, phone numbers and email.

Of particular concern to parents is the assertion that the hackers also obtained, dating back to 2020, Individualized Education Programs, also called “IEPs,” which can contain sensitive health care information.

“Your overall approach to cyber security is too relaxed,” Anihi Blep, likely an alias, wrote in an Oct. 31 email to several district executives, including Superintendent Tracy Dorland.

Initially, the hackers demanded a $15,000 ransom in cryptocurrency, but lowered the amount to $2,000.

Failure to pay the ransom, SingularityMD told district officials, would result in the data being released on the dark web.

It’s unclear whether the district has paid the ransom.

Cybersecurity experts caution users about using easily discoverable information – such as birth dates, anniversaries or family member names – when creating a password. 

This is apparently exactly what JeffCo officials did.

JeffCo parents have told The Denver Gazette that the district used students’ dates of birth when creating accounts for Google Classroom.

Google Classroom is a free platform that streamlines file sharing between teachers and students.

Deb Howitt, a partner with Dorsey & Whitney, an international law firm with offices in Denver, has called this “a terrible practice.” Howitt’s practice area includes data privacy and cybersecurity.

Cybersecurity experts also warn against using passwords across multiple accounts.