Colorado energy company loses 25 years of data after cyberattack while still rebuilding network

DMEA did not use the term "ransomware" but said much of their data had been corrupted while phone and email services were down for weeks.
Written by Jonathan Greig, Contributor

Colorado's Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historical data to be lost. 

In an update sent to customers this week, the company said it expects to be able to begin accepting payments through its SmartHub platform and other payment kiosks during the week of December 6.

"We also tentatively estimate we will be able to resume member billing the week of December 6 - 10. We recognize this will result in members receiving multiple energy bills close together. As a reminder, we will not disconnect services for non-payment or assess any penalties through January 31, 2022," the company said on a page that has been updated repeatedly over the last month. 

The company said it began noticing issues on November 7, and the cyberattack eventually brought down most of its internal network services. The attack affected all of the company's support systems, payment processing tools, billing platforms and other tools provided to customers. 

DMEA said the hackers were targeting specific parts of the company's internal network and corrupted saved documents, spreadsheets, and forms, indicating it may have been a ransomware incident. 

The attack even affected the company's phone and email systems, but DMEA said the power grid and fiber network were not touched during the attack. 

The energy company hired cybersecurity experts to investigate the incident, but they are still having issues recovering nearly a month later. 

"We are currently operating with limited functionality and are focused on completing our investigation and restoring services as efficiently, economically, and safely as possible. We are committed to restoring our network and getting back to normal operations, but that will take time and requires a phased approach," the company explained. 

They created temporary payment arrangements to deal with the outages and have suspended all penalty fees and disconnections for non-payment through January 31, 2022.

Despite the damage to their system, DMEA claimed no sensitive data from customers or employees was breached. But they now have to work through a "phased restoration approach" as they rebuild their systems. 

DMEA CEO Alyssa Clemsen Roberts said the impact on their systems was "extensive" and that a good portion of their saved data, such as forms and documents, was corrupted. 

"The path to full restoration will take time, and it may result in many of our members receiving back-to-back energy bills. With colder weather approaching and the holiday season already here, we recognize this incident has come at an unfortunate time," Roberts said. 

"This isn't how we hoped to close out the year, and on behalf of all of us at DMEA, I am grateful for your patience, support, and understanding as we navigate this incident."

Saryu Nayyar, CEO at cybersecurity firm Gurucul, said utilities tend to have complex networks that often comingle enterprise operations with mission control.

"It's a bit of a surprise that we haven't seen more attacks on public utilities, but there is no question that more are coming," Nayyar explained. 

The headline-grabbing ransomware attack on Colonial Pipeline earlier this year involved similar issues. Attackers brought down the company's business technology networks, forcing the energy-producing side to struggle as well. 

SecurityGate CISO Bill Lawrence added that while the term 'ransomware' is not in any of the reporting or DMEA's explanation of events, they had a large portion of their data corrupted, and their internal phone system went down too. 

"It will be interesting to learn a motive behind this attack if there are no ransom demands," Lawrence said. "Co-ops are owned by their local communities, so the local folks will be dealing with increased costs due to response and recovery from the attack."

Editorial standards