Colorado Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Colorado sits at a unique intersection of cybersecurity risk. The state hosts critical aerospace and defense operations — including NORAD, U.S. Space Command, and the U.S. Air Force Academy — alongside a booming technology sector centered in the Denver-Boulder corridor and a significant energy industry. This concentration of high-value targets, combined with a rapidly growing population and expanding digital infrastructure, has made Colorado a repeated target for sophisticated cyberattacks over the past decade.

The incidents documented below are not hypothetical scenarios. Each represents a real breach that disrupted Colorado organizations, exposed sensitive data, and cost millions of dollars to remediate. For organizations operating in Colorado, these cases reveal recurring vulnerabilities — from unpatched systems to third-party vendor risk — that continue to affect businesses across the state's cyber threat landscape. Understanding how Colorado's data privacy laws apply after an incident is equally important for any organization handling personal data here.

Major Cyber Incidents in Colorado: A Timeline

2018 — CDOT SamSam Ransomware Attack

In February 2018, the Colorado Department of Transportation (CDOT) was hit by the SamSam ransomware variant, forcing the agency to shut down approximately 2,000 employee computers. The attack encrypted files across CDOT's network and displayed ransom demands in Bitcoin. The state refused to pay and instead brought systems back online manually, a process that took weeks and cost an estimated $1.5 million in remediation. CDOT was hit a second time by a different ransomware variant just weeks after the initial attack, while recovery was still underway. The Colorado Office of Information Technology (OIT) and the Colorado National Guard's cyber unit assisted in response. The CDOT incident became one of the earliest high-profile examples of SamSam ransomware targeting state government infrastructure and demonstrated how prolonged recovery periods create windows for secondary attacks.

2020 — UCHealth Data Breach

UCHealth, one of Colorado's largest healthcare systems with hospitals across the Front Range, disclosed a data breach affecting patient records after an unauthorized third party gained access to an employee email account. The compromised account contained patient names, dates of birth, medical record numbers, and clinical information. UCHealth notified affected patients and implemented additional email security controls. The incident illustrated a recurring problem in healthcare: even large systems with dedicated IT teams remain vulnerable to credential compromise targeting individual employee accounts.

2021 — University of Colorado Accellion File Transfer Breach

The University of Colorado was among dozens of organizations worldwide affected by a zero-day vulnerability in Accellion's legacy File Transfer Appliance (FTA). The Cl0p ransomware group exploited the vulnerability to exfiltrate sensitive data from CU systems, including Social Security numbers, student records, medical data, and university research information. The breach affected multiple CU campuses and the university's health system. Stolen data was published on the Cl0p group's dark web leak site. The incident highlighted the risks of legacy file transfer technologies and the cascading damage of supply chain vulnerabilities in higher education environments.

2022 — Denver Public Schools Employee Data Breach

Denver Public Schools disclosed a data breach in early 2023 stemming from unauthorized access to its computer systems between December 2021 and January 2023. The breach affected approximately 35,000 individuals, including current and former employees, contractors, and some students. Exposed data included names, Social Security numbers, fingerprints, bank account numbers, driver's license numbers, and passport numbers. The prolonged period of unauthorized access — over a year — before detection raised serious questions about monitoring and detection capabilities within the district's IT infrastructure.

2023 — Colorado HCPF MOVEit Breach

The most consequential data breach in Colorado's history occurred in 2023 when the Colorado Department of Health Care Policy & Financing (HCPF) was affected by the widespread exploitation of the MOVEit Transfer file transfer software. The Cl0p ransomware group exploited a zero-day SQL injection vulnerability in MOVEit to steal data from hundreds of organizations worldwide, and HCPF was among the hardest hit. The breach exposed the personal and health information of more than four million Colorado residents enrolled in Medicaid and other state health programs. Compromised data included names, Social Security numbers, dates of birth, home addresses, income information, clinical data, and health insurance identification numbers. It was one of the largest government healthcare data breaches in U.S. history and underscored the catastrophic risk of third-party software vulnerabilities in government systems.

2023 — Colorado Attorney General's Office MOVEit Exposure

The Colorado Attorney General's Office was also affected by the same MOVEit vulnerability exploited in the HCPF breach. The office confirmed that some data it maintained through the file transfer system was accessed by the attackers. While the scope was smaller than the HCPF breach, the fact that the state's top law enforcement office was simultaneously compromised through the same third-party vulnerability amplified public concern about vendor risk management across Colorado state agencies.

2024 — Colorado State Public Defender's Office Cybersecurity Incident

In early 2024, the Colorado State Public Defender's Office experienced a cybersecurity incident that disrupted case management systems and forced attorneys to request continuances in court proceedings across the state. The office took systems offline as a precaution while investigating the scope of the intrusion. The incident affected the ability of public defenders to access case files, client records, and court documents for several weeks, illustrating how cyberattacks on government legal systems can directly impede access to justice.

Colorado Data Breach Notification Law

Colorado's data breach notification requirements are codified in C.R.S. § 6-1-716. The law applies to any individual or commercial entity that maintains, owns, or licenses personal identifying information of Colorado residents. Under amendments that took effect in 2018, organizations must notify affected Colorado residents within 30 days of determining that a security breach occurred — one of the shortest notification windows of any state in the country.

If the breach affects 500 or more Colorado residents, the organization must also notify the Colorado Attorney General within 30 days. Notification to individuals must include the date or estimated date of the breach, a description of the personal information involved, and contact information for the major credit reporting agencies. The law defines personal identifying information broadly, covering Social Security numbers, driver's license numbers, financial account information, biometric data, health insurance identification numbers, and login credentials combined with a resident's name.

Colorado does not specify statutory penalties for breach notification failures in the same way some states do. Instead, enforcement is handled by the Colorado Attorney General under the Colorado Consumer Protection Act, which provides for civil penalties and injunctive relief. For a complete overview of compliance obligations, see our guide to Colorado cybersecurity compliance requirements.

Patterns and Lessons from Colorado Cyber Incidents

Third-Party and Supply Chain Risk Dominates

The two largest breaches in Colorado history — HCPF MOVEit and the CU Accellion breach — both originated from vulnerabilities in third-party file transfer software. Colorado organizations cannot secure what they do not control, making vendor risk management and contractual security requirements essential. Every organization should inventory its third-party software, particularly legacy file transfer tools, and evaluate whether those vendors maintain rigorous security practices.

Government Systems Are Primary Targets

State agencies, school districts, and the public defender's office have all been hit. Government entities often operate with constrained IT budgets, legacy systems, and complex procurement processes that slow security upgrades. Colorado's OIT has worked to centralize cybersecurity functions, but individual agencies and local governments remain vulnerable.

Healthcare Data Is Disproportionately Exposed

Multiple incidents involved healthcare data, reflecting both the high value of medical records and the complexity of securing healthcare IT environments. Organizations handling health data should invest in managed security services that provide continuous monitoring and rapid incident detection.

How Colorado Businesses Can Reduce Breach Risk

The breach history outlined above points to specific, actionable steps that Colorado organizations should prioritize:

• Audit third-party software and vendors — inventory every file transfer tool, SaaS platform, and managed service provider that has access to your data. Require vendors to demonstrate compliance with recognized security frameworks

• Implement multi-factor authentication across all remote access, email, and privileged accounts — credential compromise remains the most common initial access vector in Colorado incidents

• Deploy endpoint detection and response (EDR) to detect and contain threats before they spread laterally across your network

• Maintain and test offline backups — the CDOT incident demonstrated that organizations that refuse to pay ransoms need reliable backups and tested recovery procedures

• Monitor for unauthorized access continuously — the Denver Public Schools breach persisted for over a year before detection, underscoring the need for security monitoring that detects anomalous access patterns

• Prepare for the 30-day notification window — Colorado's notification deadline is shorter than most states, so incident response plans must include pre-drafted notification templates and clear escalation procedures

Many Colorado organizations, particularly small businesses, partner with managed IT services providers to maintain the continuous monitoring and rapid response capabilities that their internal teams cannot sustain alone.

Frequently Asked Questions

How quickly must a Colorado business report a data breach?

Under C.R.S. § 6-1-716, Colorado businesses must notify affected residents within 30 days of determining that a security breach occurred. If the breach affects 500 or more residents, the Colorado Attorney General must also be notified within the same 30-day window. This is one of the shortest notification deadlines in the United States, making pre-incident preparation critical.

What was the largest data breach in Colorado history?

The 2023 HCPF MOVEit breach is the largest known data breach in Colorado history, affecting more than four million residents enrolled in state health programs. The breach was caused by a zero-day vulnerability in the MOVEit Transfer file transfer software exploited by the Cl0p ransomware group. It exposed Social Security numbers, clinical data, and health insurance information.

Did Colorado pay the ransom in the CDOT SamSam attack?

No. Colorado refused to pay the SamSam ransomware demand and instead rebuilt affected systems manually. The recovery process took several weeks and cost approximately $1.5 million. The state's decision not to pay is consistent with FBI and CISA guidance discouraging ransom payments, though it required significant time and resources to restore operations.

What types of personal data are covered by Colorado's breach notification law?

C.R.S. § 6-1-716 defines personal identifying information broadly. It includes Social Security numbers, driver's license or ID numbers, financial account numbers, biometric data, health insurance identification numbers, and login credentials (username or email combined with a password or security question) when combined with a Colorado resident's first name or initial and last name.

How does the Colorado Privacy Act affect breach response?

The Colorado Privacy Act (CPA), which took effect on July 1, 2023, establishes broader data protection obligations that indirectly affect breach response. Organizations subject to the CPA must implement reasonable data security practices, conduct data protection assessments, and maintain data processing agreements with vendors. A breach that results from inadequate security practices could trigger enforcement actions under both the CPA and the breach notification statute. See our Colorado compliance guide for a full breakdown of CPA requirements.