Nov 272013

Tim Gallen and Mike Sunnucks report:

The Maricopa County Community College District is notifying nearly 2.5 million students, former students, vendors and employees because their personal information may have been exposed in a security breach.

The Tempe-based college district announced today that it is contacting 2.49 million students, employees and suppliers that their information may have been exposed without authorization.

Sensitive information such as names, birth dates, Social Security numbers and bank account information was exposed, according to the district. MCCCD operates 10 community colleges and also has dual enrollment programs with local high schools.

However, MCCCD officials are not aware of any evidence of any misuses of personal information. Spokesman Tom Gariepy said students or others who worry about identity theft or other fraud can contact a credit services company the district has hired.

“While we are not aware of misuse of anyone’s personal information, we are providing resources to assist all of the people whose information was in these systems, including credit monitoring and other identity safeguards, managed by a nationally known identity protection firm,” said MCCCD Chancellor Rufus Glasper in a statement. “We are examining every aspect of our IT operations, and the changes underway are making us stronger system-wide.”

District officials learned of IT security issues in April this year and began investigating.

Read more on Phoenix Business Journal. In related coverage, KPHO reports that the college district learned of the breach from federal law enforcement on April 29. They also report that names, dates of birth, Social Security numbers and bank account information – but not credit card information or health records – was exposed. Neither news source is clear about the nature of the breach.

UPDATE: I see commenters questioning as to whether it’s a legitimate service. Note the reference to Kroll on the site. Kroll is a well-known company for cybersecurity issues. Its parent company is Altegrity. You can check them both out. That said, I agree that idintegrity’s web site is lame. They should have introduced themselves and their credentials before asking people to input their personal information.

UPDATE 2 (Dec. 16): I just spoke with MCCC about comments that people do not know why they are receiving letters or how MCCC got their information. IDintegrity should be able to give you that information, but MCCC will be sending me a statement explaining it that I will post on this site when I receive it (hopefully later today or tomorrow). Stay tuned…

UPDATE 3 (Dec. 17): I also spoke with Kroll/IDintegrity today and told them about concerns with the site. I urged them, too, to respond. So far, I have not received any statement from either MCCCD or IDintegrity that I can share with you all. I feel your frustration. And I’ve written another blog post based on your experiences, “There are lessons to be learned from the Maricopa County Community Colleges breach.  Learn them, dammit.”

UPDATE 4 (Dec. 19): I have received no statements from MCCCD or IDintegrity/Kroll to post here. How foolish of them not to respond when people are obviously confused, distrustful, and upset. They’ve provided a case study in how NOT to respond to a breach.

UPDATE 5 (Dec. 20): A self-described “ethical hacker” says all your personal information may still be at risk.

UPDATE 6 (Feb. 19): And now the litigation begins. See this post.

  98 Responses to “Maricopa Community Colleges notifies 2.5M after data security breach (update 6)”

  1. I received the letter, confirmed on MCCCC that a breech did occur, signed up for their credit offering. The latter doesnt actually do anything but email you an alert if something happens. There is no access to current credit data as one might expect.

    I called the number today to start investigations; they put me on hold; and then told me everyone is busy and they would call me back. They never did!

    I have an old bank that I used when enrolled at MCCCC that is calling for my current address, and a collection agency calling to collect on an alleged promissory note…all of this within the time frames??? Something is wrong.

  2. Been a hellooooo of a day… I shopped a target too.

  3. I too was enrolled in early 90’s. When you log into idintegrity with your “membership number” the first thing they as for is your SS#. You would think that they would have it if it was in you records at the college?? My letter is dated Dec 11, 2013.
    The whole thing stinks!!

    • The college cannot give IDintegrity your SSN because they don’t know if you’ll want to sign up for the service. You’d be furious at them (rightfully so!) if they did give it out without your request or permission.

  4. Everything you need to know about the incident is posted on the New Hampshire DOJ’s website. Here is a link to a government letter describing the incident, the timeline, and the remediation steps taken. The end of it contains a copy of the IDIntegrity / Kroll letter everyone is receiving. Its not a scam. The IDintegrity website has been down for a while though, which is sad.

  5. Think of all the poor students graduating from this school district and having to put this school on all there future job applications (especially those with IT degrees)!!!

    “Question: So where did you go to school?” Answer: “er, well…do you remember that school that was hacked? Well, that one.” You are hosed for life.

  6. I also got one of these letters. I have a lot to lose if my identity is stolen as I have considerable assets in banks and investments. Not much I can do other than wait for the possible knock at the door from somebody telling me I owe them a few hundred thousand.

    That said, I do not trust this idintegrity web site. It looks like scam site and offers nothing to inspire confidence in me. In addition there is no contact phone number to talk to a human. I really hope there is a class action suit. MCC needs to learn a painful lesson. I am totally disgusted.

  7. I found this site after looking at the letter I got recently; I was going to go thru with the idintegrity thing, but something just didn’t seem right about it – so I did some research, and here I am. I ended up putting a 90 day fraud alert on my credit file via Equifax (which also auto-updates Experian and TransUnion). I’ll probably pull my credit file from one of the three in January – I’ve had a recent (a couple of months ago) issue where my bank (BofA – they may be evil in some ways, but they do a helluva job monitoring their systems) had to issue me a new debit card/number because of possible fraud (but I never noticed anything on my statements or such – I watch those weekly or more often). Given how long this breach has been going, I doubt that anything I do now could much change things. My greatest worry is somebody using my name/info for employment purposes, or some other scamming (or illegal) reason, only for it to come back on me later.

  8. My concern with IDintegrity/Kroll is that when proceeding forward on their site, they have weird restrictions on username and password. I can’t have special characters, and it must be between 6-15 characters? Password and username length shouldn’t matter if they are properly hashed, but this implies that they’re using an old database…which will eventually get hacked.

    It’s the circle of life, or something.

Sorry, the comment form is closed at this time.