The Denver Gazette: Despite a law to do so, the state agency overseeing Colorado’s higher education system didn’t promptly flag law enforcement about a massive data breach it discovered in mid-June until a staffer inadvertently mentioned it at a meeting long after the damage was done, according to documents obtained by The Denver Gazette.

Although Colorado government agencies are required to report to the attorney general any data security breach within 30 days of its discovery, the state Department of Higher Education instead kept the ransomware attack on its servers quiet for several more weeks, according to department emails shared with The Denver Gazette and a copy of the report it filed with the Attorney General’s Office.

The department only began to reveal the extent of the breach on July 28, six weeks after it was discovered on June 14, when data information officials from several Colorado universities learned of it during a meeting in which a mid-level manager at the state agency mistakenly mentioned it, according to those emails.

Visit The Denver Gazette for more.