What you should do if your personal data has been compromised in a cyberattack

(Yuri Samoilov/Flickr via CC 2.0)

State higher education officials announced last week that an unknown number of Colorado students and teachers had their personal records hacked in June. 

Hackers apparently had access to more than a decade’s worth of data from Colorado students and teachers, including their social security numbers. 

While it’s unknown how many records were copied without authorization, the Colorado Department of Higher Education said it has been taking steps to find out who has been impacted. 

Potential victims include those who:

  • Attended a public college or university in Colorado between 2007 and 2020
  • Attended a Colorado public high school between 2004 and 2020
  • Held a Colorado K-12 education license between 2010 and 2014
  • Participated in the state’s Dependent Tuition Assistance Program from 2009 to 2013
  • Participated in the Colorado Department of Education’s Adult Education Initiatives between 2013 to 2017
  • Obtained a GED in Colorado between 2007 to 2011

Data that was potentially copied includes names, social security numbers, and education records. 

The cyberattack — which came in the form of ransomware — is the highest profile and one with potentially the most impact this year. Last year, a foreign entity took down Colorado.gov, the homepage for the state’s online services. A separate ransomware attack caused Fremont County offices and services to cease temporarily. 

Experts say cyberattacks are becoming more common both nationwide and in Colorado. Odds are, a breach containing your information will happen. Here’s what to do in that case. 

First, what’s ransomware?

Ransomware is quickly becoming the most common type of cyberattack. Not only has it impacted local governments, but hackers are using it to target vital public services, like hospitals, as well. 

In a ransomware attack, malicious actors first obtain access to a company or agency’s internal infrastructure through a phishing attempt or other methods. When they obtain that access, they’ll infect it with malware that locks everybody out and encrypts the data.

At that point, the hacker holds the data they encrypted for ransom.

“They issue a ransom notice essentially saying pay us X money amount of dollars, or you'll lose all your data because it's encrypted and you can't get to it,” said Mark Weatherford, chief strategy officer at the National Cybersecurity Center in Colorado Springs. “Either that or they will start leaking data out to try to incentivize you to pay the ransom or you may never hear from them again. And then you basically just lose access to all of your data.”

Ransoms are pricey, but government entities usually do not pay them, noting that reinstated access is not always guaranteed. Despite that, heavy costs are still incurred. When ransomware hackers took down Colorado Department of Transportation servers in 2018, the state paid $1.7 million in overtime, meals and equipment to restore access. 

Are you a victim of a data leak or breach? Here are some simple steps you can take.

Weatherford recommends a simple and obvious first step if you suspect your data was breached in a cyber attack: changing your passwords. 

In the case of the CDHE hack, social security numbers, which can be used to obtain credit, open bank accounts, and other financial benefits, may have been compromised. Credit freezes can be applied with the three major credit bureaus, Equifax, Experian and TransUnion, which will prevent new lines of credit being opened in your name. 

Individuals should also frequently check monthly bank statements and credit reports to see if there are any unfamiliar lines of credit or charges. 

“These criminals will do some test charges on an account just to make sure that it's going to go through before they actually try to wipe out an account,” Weatherford said. 

If you suspect passwords were compromised, Weatherford said to set up two-factor authentication to ensure extra protection for your accounts. He added that two-factor authentication is good practice regardless of if you’ve been impacted by a cyberattack.

“I tell people all the time that if a bank or a financial organization doesn't offer two-factor authentication, then I go to a different bank,” he said.

Why do hackers care about non-vital information, like education records?

In data breaches, hackers usually copy more than just names and social security numbers. In the CDHE breach, officials said hackers also had access to education records. In other attacks, ransomware hackers gained access to medical records, demographic details, and other pieces of information. 

While that kind of data may seem random and inconsequential, Weatherford said hackers can use it to plan individualized cyberattacks. 

“The more information I know about you, the better picture I have of you,” he said. “[A hacker] might go to you and say, ‘Hey, we were classmates back in 1992 and, and professor so-and-so was our teacher for econ.’ You can build trust with someone and then a lot of other kinds of bad things can happen at that point, once I begin a successful phishing campaign.”

Weatherford advises people to be wary of out-of-the-blue emails and messages from people purporting to know you. He said to look up their names, check public records, and if those queries set off alarms in your head, to block them. 

“It’s just a way we are in society and life in 2023, but we have to be suspicious and wary of everything all the time,” he said. 

What are some other ways I can protect myself against future cyberattacks?

Weatherford said there’s not much you can do to protect yourself from data breaches, since many organizations already have your data. The most individuals can do is hope that government entities have up-to-date cyber security protocols in place.

However, there are ways to prevent yourself from being the source of a data breach. Hackers often target individuals at companies to see if they’ll fall for a phishing scam that can provide access to their servers. 

Weatherford said password managers, applications that help create and track strong passwords, can be a good way to keep separate accounts secure. If you use one password for every account, hackers only need to breach one system to access other accounts. Weatherford warns, however, that password managers can also be compromised

He also said limiting your online presence is a smart decision. Security questions may be able to be guessed depending on what you share on social media — things like the name of your first pet, or where you were born are often used by companies in case you need to reset your password.