Colorado Springs Utilities says some customers’ personal information was stolen

· Jul. 14, 2022, 1:44 pm
210729-CMOTR-COLORADO-SPRINGS-DRAKE210729-CMOTR-COLORADO-SPRINGS-DRAKEHart Van Denburg/CPR News
The Martin Drake Power Plant in Colorado Springs.

Approximately 200,000 Colorado Springs Utilities (CSU) customers may have had personal information stolen last month. 

The utility said the data disclosure did not include sensitive information like social security or credit card numbers. Names, physical addresses and possibly phone numbers and email addresses were likely accessed, though. 

CSU learned of the issue on July 6, although the unauthorized access happened on June 15. A third-party subcontractor was storing the customer data. That company said it's already implemented system enhancements to protect data, according to CSU.

CSU said it chose to proactively notify customers of the disclosure "in the interest of transparency."

The company issued the following statement regarding the measures CSU takes to keep customer information safe:

"We have a robust cyber security policy and security best practices in place to help prevent data loss and/or unauthorized access. We do not disclose information about you, except as necessary, to perform our utility business operations, sometimes with the help of vendors or business partners, or as permitted by law. To learn more, our privacy disclosure is available on our website."

Colorado Springs Utilities said it will never call or email customers asking for information like credit card numbers, payment or social security numbers. Anyone who receives such communication is asked to not respond, but instead call the utility's Customer Service Center at (719) 448-4800.

The utility is sending a letter out to everyone impacted by the disclosure. 

CSU said the incident is not a "data breach" because a limited amount of information was accessed.

According to the utility's website, "a data breach is the loss of sensitive, proprietary, or confidential information and is typically an event that requires notification according to statute.  Due to the limited information that was accessed, this is not defined as a 'data breach.'  
More information can be found here.

You care!

You want to know what is really going on in Southern Colorado these days. We have got just the thing for people like you: the KRCC Weekly Digest. Sign up here and we will see you in your email inbox soon!