Table 4-79 Major Cyber Attacks Impacting Colorado, 2005-2020
| Date Reported | Target | Total Records | Description |
|---|---|---|---|
| July 21, 2005 | University of Colorado, Boulder | 49,000 | Data exposure/ personal identifiable information |
| August 2, 2005 | University of Colorado, Denver | 36,000 | Data exposure/ personal identifiable information |
| July 17, 2007 | Western Union, Greenwood Village | 20,000 | Credit card breach |
| April 22, 2014 | Centura Health, Englewood | 12,286 | Health information breach |
| July 3, 2017 | PVHS-ICM Employee Health and Wellness, Fort Collins | 10,143 | Data exposure/health information |
| February 2018 | Colorado Department of Transportation (CDOT) | N/A | Data encryption/ ransomware |
| February 2019 | Fort Collins Loveland Water District | Unknown | Ransomware |
| August 2019 | Regis University | N/A | DDoS |
| Fall 2019 | Town of Erie | N/A | Hacked email account led to $1 million being wired to a falsified contractor’s account. |
| November 2019 | Archuleta County | N/A | Ransomware |
| December, 2019 | Southeast Metro Storm Water Authority (SEMSWA) | N/A | Ransomware |
| December 2019 | Aurora Water | 2% of customers | Data Breach |
| April 2020 | Rangely District Hospital | N/A | Ransomware |
| June 2020 | Children’s Hospital Colorado | 2,553 | Data Breach |
| June 2020 | Colorado Information Analysis Center (CIAC) | Unknown | Data Breach |
| July 2020 | City of Lafayette | N/A | Ransomware |
Source: Privacy Rights Clearinghouse, Colorado Sun
A 2017 study found ransomware payments over a two-year period totaled more than $16 million. Even if a victim is perfectly prepared with full offline data backups, recovery from a sophisticated ransomware attack typically costs far more than the demanded ransom. However, according to a 2016 study by Kaspersky Lab, roughly one in five ransomware victims who pay their attackers never recover their data.
Recent years have seen a major increase in ransomware attacks, particularly against local government systems, and Colorado has been no exception. In February 2018, Colorado Department of Transportation
computers were hit by ransomware; the State refused to pay the ransom and spent $1.7 million to contain and recover lost data. In November 2019, a ransomware attack on Archuleta County resulted in a 12-day outage and severe impact to its dispatch system; attackers demanded $300,000. Rangely District Hospital in Rangely, Colorado, fell victim to a ransomware attack that encrypted files that included patient health information in April of 2020; the hospital said it did not pay the ransom. In July 2020 the City of Lafayette had to shut down their computer network after a ransomware attack; the city reportedly paid the
$45,000 ransom.
Reports of successful attacks against SCADA systems are less common. In February 2021, a hacker gained system access to a water treatment plant in Oldsmar, Florida and increased the levels of sodium hydroxide to dangerous levels; however this change was immediately detected by plant staff and corrected.
A large, sophisticated malware attack, known as Olympic Destroyer, was launched against the 2018 Winter Olympics in PyeongChang, South Korea. The attack initially took down servers, email, Wi-Fi, and ticketing systems, which could have severely disrupted the games. Fortunately, the organizing committee had a robust cybersecurity group that was able to quickly restore most functions.
Probability of Future Occurrences
Section titled “Probability of Future Occurrences”Small-scale cyber attacks such as DDoS attacks occur daily, but most have negligible impacts at the local or regional level. Data breaches are also extremely common, but again most have only minor impacts on government services.
Perhaps of greatest concern to Jefferson County are ransomware attacks, which are becoming increasingly common. It is difficult to predict the odds of Jefferson County being hit with a successful ransomware attack in any given year, but it is safe to say it is likely to be attacked in the coming years.
The possibility of a larger disruption affecting systems within the county is a constant threat, but it is difficult to quantify the exact probability due to such highly variable factors as the type of attack and intent of the attacker. Major attacks specifically targeting systems or infrastructure in the county cannot be ruled out.
Magnitude and Severity
Section titled “Magnitude and Severity”There is no universally accepted scale to explain the severity of cyber-attacks. The strength of a DDoS attack is often explained in terms of a data transmission rate. One of the largest DDoS disruptions ever, the October 21, 2016 Dyn attack, peaked at 1.2 terabytes per second and impacted some of the internet’s most popular sites to include Amazon, Netflix, PayPal, Twitter, and several news organizations.
Data breaches are often described in terms of the number of records or identities exposed. The largest data breach ever reported occurred in August 2013, when hackers gained access to all three billion Yahoo accounts. The hacking incidents associated with Colorado in the Privacy Rights Clearinghouse database are of a smaller scale, ranging from just 32 records to approximately 60,000, along with several cases in which an indeterminate number of records may have been stolen.
Ransomware attacks are often described in terms of the amount of ransom requested, or by the amount of time and money spent to recover from the attack. Increasingly, they can also be escribed in terms of services impacted, such as phone, email, websites, or even 911 services. One report from cybersecurity firm Emsisoft estimates the average successful ransomware attack costs $81 million and can take 287 days to recover from. Overall the potential magnitude of a cyber attack can be seen as limited due to the lack of deaths and injuries, but the economic costs can be significant.
Climate Change Considerations
Section titled “Climate Change Considerations”There are no known effects of climate induced impacts on human-caused hazards such as cyber attacks.
Vulnerability Assessment
Section titled “Vulnerability Assessment”The impact of a cyber-attack can vary depending on the type of attack and the intent of the malicious actor. Though a cyber disruption can have limited impacts within a system’s own operations, it may cause cascading impacts.
People
Section titled “People”Most cyber attacks do not cause injuries or fatalities, and impacts to the public are more likely to be financial losses and an inability to access systems such as public websites and permitting sites. Indirect impacts could include interruptions to traffic control systems or other infrastructure, which could result in casualties. More significantly, a ransomware attack or similar attack on a hospital or 911 system could have significant life safety impacts.
Data breaches and subsequent identify thefts can have huge impacts on the public. The Internet Crime Complaint Center (IC3) estimates that identity theft alone resulted in $2.7 billion in losses to businesses and $149 million in losses to individuals.
According to the Cyber & Infrastructure Security Agency (CISA), cyber risks to 9-1-1 systems can have “severe impacts, including loss of life or property; job disruption for affected network users; and financial costs for the misuse of data and subsequent resolution.” CISA also compiled a recent list of attacks on 9- 1-1 systems including a DDoS in Arizona, unauthorized access with stolen credentials in Canada, a network outage in New York, and a ransomware attack in Baltimore.
General Property
Section titled “General Property”The vast majority of cyber attacks affect only data and computer systems and have minimal impact on general property.
Critical Facilities and Infrastructure
Section titled “Critical Facilities and Infrastructure”While the vast majority of cyber attacks affect only data and computer systems, sophisticated attacks against utilities and infrastructure sites have occurred. Such attacks typically target the Supervisory Control and Data Acquisition (SCADA) systems of critical infrastructure, which can potentially result in system failures on a scale equal with natural disasters. Facilities and infrastructure, such as the electrical grid, could become unusable as a result of a cyber attack. A cyber attack took down the power grid in Ukraine in 2015, leaving over 230,000 people without power. Agencies that rely on electronic backup of critical files are vulnerable.
The delivery of services can be impacted since governments rely to a great extent upon electronic delivery of services. Most agencies rely on server backups, electronic backups, and remote options for Continuity of Operations/Continuity of Government. Some departments in the participating jurisdictions have the option to move to a paper method including permitting, DMV services, payments to and from the county, and payroll. However, access to documents on the network, OneDrive access, and other operations that require collaboration across the county will be significantly impacted.
Loss of government servers due to a cyber attack could affect the ability of responders to do their jobs. Cyber-attacks can interfere with emergency response communications, access to mobile data terminals, and access to critical preplans and response documents.
The delivery of services can be impacted since governments rely, to a great extent, upon electronic delivery of services. An attack could raise questions regarding the security of using electronic systems for government services.
Jefferson County Business Innovation & Technology recommends the following free actions be adopted by all participating jurisdictions, many of which have done so:
Sign up for the MS-ISAC. https://learn.cisecurity.org/ms-isac-registration
Sign up for CTIS https://
Sign up for the DHS CISA external vulnerability scanning. Email and
Sign up and configure MDBR, unless an alternative solution exists. https:// isac/services/mdbr/
Join the Jeffco Monthly IT meetings.
Annually complete the NCSR. https
Economy
Section titled “Economy”Economic impacts from a cyber attack can be debilitating. The cyber attack in 2018 that took down the City of Atlanta cost at least $2.5 million in contractor costs and an estimated $9.5 million additional funds to bring everything back online. The attack in Atlanta took “more than a third of the 424 software programs offline” and recovery lasted more than 6 months. The 2018 cyber attack on the Colorado Department of Transportation (CDOT) cost an estimated $1.5 million. None of these statistics take into account the economic losses to businesses and ongoing IT configuration to mitigate from a future cyber- attack. In all, the FBI’s Internet Crime Complaint Center (IC3) reports that cybercrime have caused
$10.2B in losses from 2015-2019; 2019 alone saw $3.5 billion in economic losses, including $65 million in Colorado.
Historical, Cultural, and Natural Resources
Section titled “Historical, Cultural, and Natural Resources”The vast majority of cyber incidents have little to no impact on historic, cultural or natural resources. A major cyber terrorism attack could potentially impact the environment by triggering a release of a hazardous materials, or by causing an accident involving hazardous materials by disrupting traffic-control devices.
Future Development
Section titled “Future Development”Changes in development have no impact to the threat, vulnerability, and consequences of a cyber attack. Cyber attacks can and have targeted small and large jurisdictions, multi-billion dollar companies, small mom-and-pop shops, and individual citizens. The decentralized nature of the internet and data centers means that the cyber threat is shared by all, regardless of new construction and changes in development.
Overall Hazard Significance
Section titled “Overall Hazard Significance”The geographic extent of the hazard is considered significant. The probability of future occurrences is considered likely and the magnitude/severity for the event of record is limited. The HMPC considers the hazard to have an overall impact rating of medium on Jefferson County.