Screenshots show redacted text messages provided to The Denver Post by the Governor’s Office of Information Technology in response to a public records request regarding a ransomware attack on the Colorado Public Defender’s Office. (Image from the Governor’s Office of Information Technology)
The Colorado Department of Public Defenders acknowledged that personal data may have been stolen in a ransomware attack that crippled agencies across the state in early February, but continued efforts to restore systems after the hack were made. I won’t say much more about these efforts.
The files were “copied without authorization” during the cyberattack discovered on February 9th and may have included names, social security numbers, driver’s license numbers, medical information, and health insurance information. The agency announced in a statement Friday.
Officials with the public defender’s office say they are continuing to investigate whose personal information may have been stolen and whether the personal information of attorneys or their clients was compromised. A statement on the agency’s website urges “individuals” to remain vigilant against identity theft and fraud.
It’s been more than a month since a ransomware attack locked out public defenders across the state from their computers and files, leaving them unable to do their jobs and forcing hundreds of court hearings to be postponed until next week.
Officials this week declined to answer questions from The Denver Post about what parts of the agency’s systems remain inoperable. In a ransomware attack, hackers use malware to hold an organization’s data hostage and demand payment in cryptocurrency in order for the organization to regain access to that data.
The public defender’s office did not disclose the amount of the ransom requested or whether it had been paid. A statement posted on the agency’s website said the agency has “made progress toward fully resuming operations.”
Heavily redacted emails and text messages released to the Post this week by the Governor’s Office of Information Technology in response to an open records request referenced cyberattack recovery law firm Maren Coughlin. Chief Deputy Public Defender Zach Brown declined to confirm whether the public defender’s office is working with the company.
“We have provided all the information we can at this time,” he said in an email.
A message left with the Pennsylvania-based law firm was not returned Wednesday.
The Governor’s Office of Information Technology confirmed that between February 9th and February 23rd, more than half of the text messages exchanged between its staff and Colorado Public Defender Megan Ring indicated that the messages were from the state. It was redacted because it was exempt from public records laws. The firm cited immunity related to attorney-client privilege, the deliberative process, security arrangements, and law enforcement investigations.
“OIT believes that making these documents public would limit OIT’s ability to engage in honest and frank discussion about cybersecurity issues and provide free input to state agencies, thereby impeding OIT’s ability to carry out its mission. “We are withholding these documents because it would cause serious harm to the public, and we are obligated to do so,” Chief Information Security Officer Jill Fraser said in a statement released by the public record. he wrote in an affidavit attached to the document.
Sign up for our daily Your Morning Dozen email newsletter for more Colorado news.
