Colorado Springs Utilities says some customers’ personal information was stolen

210729-CMOTR-COLORADO-SPRINGS-DRAKE
Hart Van Denburg/CPR News
The Martin Drake Power Plant in Colorado Springs is one of the last urban-sited coal plants in the United States. Colorado Springs Utilities has committed to closing the coal-fired portions of the facility by 2023 -12 years earlier than originally planned – and investing significantly more in renewable energy.

Approximately 200,000 Colorado Springs Utilities (CSU) customers may have had personal information stolen last month. 

The utility said the data disclosure did not include sensitive information like social security or credit card numbers. Names, physical addresses and possibly phone numbers and email addresses were likely accessed, though. 

CSU learned of the issue on July 6, although the unauthorized access happened on June 15. A third-party subcontractor was storing the customer data. That company said it's already implemented system enhancements to protect data, according to CSU.

CSU said it chose to proactively notify customers of the disclosure "in the interest of transparency."

The company issued the following statement regarding the measures CSU takes to keep customer information safe:

"We have a robust cyber security policy and security best practices in place to help prevent data loss and/or unauthorized access. We do not disclose information about you, except as necessary, to perform our utility business operations, sometimes with the help of vendors or business partners, or as permitted by law. To learn more, our privacy disclosure is available on our website."

Colorado Springs Utilities said it will never call or email customers asking for information like credit card numbers, payment or social security numbers. Anyone who receives such communication is asked to not respond, but instead call the utility's Customer Service Center at (719) 448-4800.

The utility is sending a letter out to everyone impacted by the disclosure. 

CSU said the incident is not a "data breach" because a limited amount of information was accessed.

According to the utility's website, "a data breach is the loss of sensitive, proprietary, or confidential information and is typically an event that requires notification according to statute.  Due to the limited information that was accessed, this is not defined as a 'data breach.'  
More information can be found here.