Breaking News
More () »

DPS waitied 58 days to announce staff, student data breach

The data breach included detailed personal information about current and former students and staff.

DENVER — Who among us has not had their personal information stolen in a data breach?

It can be as tame as an email address and password, but the data taken in a recent Denver Public Schools (DPS) security breach is quite detailed.

The breach, according to a news release from the district, compromised:

  • Names
  • Social security numbers of current and former employees who utilized the district’s health plan
  • Employee fingerprints
  • Bank account or pay card numbers
  • Student ID numbers
  • Driver’s license numbers
  • Passport numbers
  • Limited health plan enrollment information

“I’m very disappointed that DPS did not reach out to all employees as soon as this happened to protect us and show that they value us,” high school math teacher Liz Fant said. 

She found out by reading about it in the news.

The district’s news release said that an “unauthorized actor” accessed the information between Dec. 13, 2022, and Jan. 13, 2023. The release also said the district found out about the breach on Jan. 4, which was before it ended.

“The name of the game in data breaches really is timely notification to affected consumers and affected people,” former Colorado state Rep. Cole Wist said.

Wist helped pass a bill into law in 2018 that requires notification to those affected “not later than 30 days after the date of determination that a security breach occurred.”

There are exceptions for law enforcement needs and determining the scope of the breach.

“The whole purpose here was to make sure that we arm consumers and arm affected people with information rapidly so that they can take steps to monitor their credit, to monitor their bank accounts and to make sure that they’re protected. But if they don’t know, they can’t protect themselves,” Wist said.

DPS released the news on March 3. A spokesman said letters were mailed to those impacted at the same time. That's 58 days after DPS discovered the breach.

“There’s no reason why there couldn’t have been a prompt notification while DPS was investigating the scope of the damage that was done to its system,” Wist said.

In a statement, DPS said it “complied with all applicable laws in responding to this incident.”

The district's statement said: 

This incident occurred in January 2023. In response, DPS immediately commenced an investigation. DPS notified the CBI, the Colorado Attorney General’s Office, the FBI, and the Secret Service to report the incident and sent communications to all staff members advising them to change their DPS passwords due to ‘suspicious activity detected on our computer network.’ It was not until Feb. 8, that we completed our review of the files on DPS’s computer servers that were potentially subject to unauthorized actor access. Once that review was complete, DPS mailed notification letters within 21 days.

“If Feb. 8 everything was complete, they should have sent out an email Feb. 8,” Fant said.

DPS sent an alert to employees in mid-January to reset their employee passwords. That alert does say “DPS is currently investigating certain suspicious activity detected on our computer network.”

“There was no mention of any of our personal information being compromised,” Fant said. “You didn’t notify me that my bank account information, my fingerprints, that a lot of personal information may be in the hands of a hacker at this point. I would have assumed from that that maybe some of my school information or stuff related to me as a teacher is out there, which I’m not really worried about.”

DPS has 15,000 employees, but the scope of the breach is larger because it includes former employees and students. DPS could not provide a total number of those impacted.

That 2018 state law also requires a breach to be reported to the attorney general’s office no later than 30 days after being discovered.

A spokesman with the AG's office said DPS reported the breach on Feb. 17.

The report is supposed to include the number of Colorado residents impacted. 

The 2018 law also includes requirements surrounding policies on the disposal of personal information.

“They have to set forth in a written policy how long they’re going to maintain that information, when they’re going to destroy it and how they’re going to destroy it,” Wist said. “I’d certainly like to know how DPS is complying with those portions of the law, because I think they’re just as important as the notification pieces.”

DPS did not provide the policy to 9NEWS as of Monday night.

Fant, who is retiring this year, was one of several teachers concerned about how they found out about the data breach, but the only one who was comfortable talking on the record.

“I feel like I have the privilege of speaking out because I’m retiring and I don’t expect there to be any repercussions from this, and there shouldn’t be regardless,” Fant said.



Before You Leave, Check This Out