Personal information from hundreds of Colorado Department of Transportation contractors may have been compromised after a data breach involving a CDOT employee.

The employee, who is no longer working for CDOT, had access to a database for several hundred disadvantaged and emerging small businesses. The database for Emerging Small Business (ESB) and Disadvantaged Business Enterprise (DBE) firms contained confidential information -- including tax returns.

“We believe that there is a data breach on the database itself where an employee accessed information and may be using that and selling that information externally,” CDOT spokeswoman Amy Ford said.

The businesses potentially affected by the data breach submitted information to CDOT in order to qualify for ESB and DBE programs, Ford said. The programs are designed to give small, disadvantaged businesses an opportunity to contract with CDOT on construction, professional service, research and more.

Ford said the employee involved in the breach had been working for CDOT less than a year. She could not release the employee's name or say why that person had access to the database. Ford added that CDOT is taking the data breach “incredibly seriously” and referred the case to the Colorado Bureau of Investigation.

“Obviously, we’re going to be going back and looking back at our procedures and our policies to ensure who has access to that information, how it’s used and then ensure that we’re protecting that as we move forward,” Ford said.

A letter from CDOT Chief Engineer Joshua Laipply sent to DBE and ESB firms on Wednesday was obtained by 9NEWS. In the letter, Laipply informs the firms of the breach of information.

“The firms whose information was specifically found in the investigation have been contacted, however the individual had access to our entire database, so all may be at risk,” Laipply wrote.

Laipply also said family members of firm owners were targeted in the breach. Laipply referred to the employee involved in the breach as a “probationary employee” who worked at CDOT from January 2016 to April 2016.

9NEWS reached out to several DBE and ESB firms who may have been impacted by the data breach. One business owner said she submitted to CDOT as part of a DBE application, her social security number, multiple personal and business tax returns, credit card information and a list of assets and debt.

Amy Ford said CDOT has contacted all of the affected business owners.

“We’ve reached out to them to talk already about how you protect when it comes to issues of identity theft,” Ford said. “We’re also going to be working to extend identity theft services to them moving forward for the next year.”

Thursday evening CDOT contacted business owners potentially affected by the breach and offered them a free year of credit monitoring services. CDOT also recommended business owners redact social security numbers, accounts and other information provided to CDOT.