Metropolitan State University of Denver Data Breach Impacts 5,237 People

On January 4, 2025, Metropolitan State University of Denver (MSU Denver) discovered unauthorized activity affecting university email accounts. According to the official disclosure, the breach was identified when the university detected that outside actors had briefly gained access to certain email accounts within their environment.

The investigation revealed that a total of 5,237 individuals in the United States were impacted, with one individual affected in the state of Maine.

The breach potentially exposed personally identifiable information (PII), including names and other details specified in individual notifications (such as Social Security numbers or other sensitive data, depending on the person).

MSU Denver began an investigation, changed passwords for affected accounts, and engaged leading data security and privacy professionals to assist in the response. The university also reported the incident to the appropriate regulatory authorities. The breach was officially disclosed to the Maine Attorney General’s office on May 13, 2025, and affected individuals were notified in writing on May 12, 2025.

The full disclosure can be found on the Maine Attorney General’s data breach portal.

Metropolitan State University of Denver's response

In response to the incident, MSU Denver immediately secured the affected email accounts by changing passwords and working with external cybersecurity experts to investigate the breach. The university conducted a detailed review to determine the scope of personal information that may have been exposed. They have also reported the matter to regulatory authorities as required by law.

For those affected, MSU Denver has provided a dedicated phone line (888-562-7109) for questions and support, available Monday through Friday, 6 am – 6 pm Mountain Time. The university’s notification letter encourages vigilance, recommending that individuals regularly monitor their credit reports, review account statements, and promptly report any suspicious activity to financial institutions. Additional resources and guidance on protecting personal information—such as placing fraud alerts or security freezes with credit bureaus—are outlined in the consumer notice, which is available at the bottom of this page in PDF format.

Given the nature of the breach, it is important for affected individuals to remain alert for signs of identity theft. Taking proactive steps such as reviewing credit reports, considering a security freeze, and staying informed about best practices for personal data protection are all strongly advised.

To learn more about the university, visit the Metropolitan State University of Denver website.