Nov 272013
 

You are currently browsing comments. If you would like to return to the full story, you can read the full entry here: “Maricopa Community Colleges notifies 2.5M after data security breach (update 6)”.

  98 Responses to “Maricopa Community Colleges notifies 2.5M after data security breach (update 6)”

  1. I may be someone who is part of the identity theft, and I can say I am absolutely disappointed in how this was handled, the delay of information provided, the lack of details, and the “Well, so far we don’t think anyone’s information was compromised, but here is a free year of identity monitoring, just in case” bandage they offered. My family member received a letter, today, and she had not attended school there since the early nineties. I am curious to know why her information was not put off-line in an archive, given her long status of inactivity at the college. I attended last in 2006, and I paid out-of-pocket, which means my bank information was exposed. The disappointing casual handling of this incident does not satisfy my pensive fear of finding out someone committed a crime using my identity and I will be detained, or the potential use of my information years into the future. A large amount of incredibly personally identifying information was exposed and placed on the market for sale, and it is a matter of time before it comes into play for criminals.

    • Elsewhere on this blog, I have posted links to two follow-ups on this breach that you may want to read. You’re asking some excellent questions, but of course, that’s little consolation now that your details may be in the wild or have been sold to criminals.

      Historically, no one has ever really done anything about data breaches in the education sector.

      [Remainder of reply deleted after I realized FTC doesn't have authority over non-profits. Ugh.]

      • I think there has been a number of laws broken, FERPA, to protect student information, banking laws because they exposed account info. They say no health information but what about students in health fields or people that go to college clinics? They also mentioned vendors, I hope one of the vendors wasn’t their health or disability vendors. I think the costs are going to go a lot higher than they have budgeted for. Especially when the news reports how lax the security controls have been. Of course with all the spin and smoke and mirrors, the people that should be held accountable will be long gone. Breaches happen but not at this scale

    • My husband and I have not attended since the 70’s, that right…1970’s and are almost ready to retire and got the same letters. Why did it take from April 29 to notify us. Between April through December our information could have been used to the tune of hundreds of thousands and we just now hear about it. Wow. Thanks for letting me know 8 months after the fact. And…how do they know that nobody’s info has been used. All they have to do is change the address and make a few minimum payments and by the time they stop making those minimum payments, the trail is cold and the victims are left to deal with it.

    • Dear Mr school Chancellor, Thank you for sending me the notification that you released my personnal date to criminals! I also appriciate the one year protection by a questionable security company. I am sure the individuals with our info have no idea that it will expire in one year. I would also appriciate you sending me the scheduled dates for the public executions. I would very much like to attend.

  2. WOW! I just got a letter today!…I went back and forth wondering if this was real…I thought…what a perfect way to scam the info out of people by sending them a letter telling them to call this company for free monitoring services…. Um I am headed to the college to talk to them directly…I wish they would have set up a number for Maricopa Colleges to handle my call but instead the letter only gives the number to the monitoring service! They can’t even give a number to their offices to answer my questions? What a runaround!…

  3. I just got a letter today as well. I too thought it was some sort of a scam. Guess I should go talk to the morons about this. Oh, and way to go on the speedy alert they sent so late!

  4. So they haven’t heard of anyone being affected? I’m currently dealing with ACE Cash Express because someone took out a loan online in my name, with my SSN and address, and ACE is coming to me to collect. I’m in the midst of filing a police report, and I get this letter from MCC. Hmmmmm. Coincidence?

  5. I got a letter today as well, and I haven’t attended an MCC college or lived in Arizona for TWENTY YEARS. How did MCC find my address? And do I really want to cough up my social security and phone numbers to the presumed credit monitoring service. This whole thing stinks to high heaven. I can’t believe there isn’t more internet buzz about this!

    • What if Idintigrity is a start up security company with a friend working at MCC! What a way to start a new business with 2.5 m new customers, most of which won’t drop off after the first year, knowing the the info is still out there. I am going with lifelock and sending MCC the bill. If they choose not to pay I will see them in small claims.

    • I am in the exact same situation! I fail to understand why personal information this old was not archived and instead left online where it could be compromised. Maricopa Community Colleges have acted irresponsibly with people’s personal information. The action they are taking now is a day late and a dollar short. I am all in favor of a class action law suit.

  6. i too received this letter from MCC yesterday. Haven’t attended MCC since the 70’s and am appalled the school still had ‘my’ records available for stealing some 40-odd years later. Seems like these so-called ‘educators’ are too stupid to be operating in todays hi-tech world via a collegiate environment.

  7. My letter said “On October 18th, 2013, we determined that your information… may have been accessed without authorization”. This article says the breach was discovered in April. Did it take 6 months just to to determine who was impacted or is this breach #2 this year???

  8. Has anybody contacted idintegrity.com as of yet? my web browser would not open it. When I made it it was not a scure website.

  9. Just looked it up. Yes it made the news. I to have not been there since the 90’s. Crazy!

  10. I have contacted idintegrity.com. Strange…I keep getting emails telling me changes have been made to my profile and for me to contact them at 1-800-806-3917 to verify my identity? They also have claimed they ordered my Credit Report. Why is this? to get me to give them more information about my identity? This whole thing sounds weird. What took 8 months to notify me of the Breech? Has anyone else had this kind of problem?

  11. I never even went to MCC?????!!! I went to a private school, Bryman. Are they connected or does MCC own Bryman?
    This is ………… weird!

    • I don’t see Bryman listed as being part of MCCC. Maybe you should call MCC or the number given in your letter and ask how they got your information since you never went to MCC.

      Then let us know, please.

    • Inever went to mcc but i did go to bryman

  12. I got the letter today. I never attended this school. Is it a scam?

  13. I, too, received a letter in the mail regarding this issue and it claims I have to submit LOADS of personal info to http://www.idintegrity.com. Does anyone have ANY idea whether or not http://www.idintegrity.com is legit or is it simply some scam-artist trying to piggyback off the news to collect all of this personal data by dropping a mailer?

    Let me know if anyone has any experience with http://www.idintegrity.com.

    Gerald

  14. I received a letter today. I never attended their school. Never worked for them or had any contact with them what-so-ever! My bank called me concerning charges they viewed as fraud last month and I had to cancel my debit cards and have the charges reversed. Something is definitely wrong here!!!!

    • Same thing happened to me. September my debit card was compromised. The letter I rec’d today says that MCC had info compromised in October. I NEVER attended or had anything to do w/them. Some grad program info from Univ of Phoenix. AND MCC doesn’t even seem to be based out of Ga. Out of Az., but not Georgia.

  15. This whole thing is making my stomach churn.
    For God’s sake, I’m only 20 years old trying to get my life situated and I get this letter today.
    Tried going to the site idintegrity they provided, and it was apparently a broken link. I don’t want to give my identity up to these people if its not legit. Has anyone been in contact with idintegrity??? If so, what is your opinion?

    • When I saw that the firm was asking the confidential information, I checked with a colleague who did register with Idintegrity. He reassured me but when I logged on and filled in the form, the thing didn’t go through – their site was having problems. Now I’m wondering if they captured all that info on me and are not really there at all!

      • Same thing just happened to me. I’m at a different university now, studying for my Accounting Information System final tomorrow, and reviewing all the different types of fraud made me paranoid enough to take MCC up on their offer to provide me with a year of free credit monitoring. I got all the way to the page submitting my acceptance to the terms and conditions, but the site wouldn’t stop loading until it finally errored out. I did receive an email, so hopefully that means everything is okay. But I can’t help but wonder the same thing… whether this is legit or not. That is what lead me to searching and finding this website. This is a big deal. I don’t know Kroll, or idintegrity, and I’m hoping a didn’t’ just open myself up to a bigger mess by attempting to sign up for their service.

        • I called the MCC’s hotline and they assured me the site was legit. I keyed in my SS# and they came back with accurate questions about which loans I had take out, who had lived with me in the past, etc. Like others, when I got to the end of the registration I got the message below. I called the #, it’s fhte hotline again, they apologized for the website and checked if I was actually registered. Despite saying they didn’t keep my information they had, I was registered. I’ve sent an email to MCC and the AZ Attorney General’s fraud office.

          We’re sorry but…

          We are unable to complete your subscription due to a system problem. As a result of the error, we have not retained any of your data. Please return later to subscribe or contact Customer Service at 855-330-6366

  16. Havn’t tried the wed site yet, may not. wondering, has anyone talked direct to the college?? the news may be triggering off the flap from the letters?? anyone signed up to idintegrity yet?

  17. Received the same letter as everyone else today. But I’ve never attended this school. Hello im in New York and never left this state.

  18. Was a student back in the ’80s and received the letter today. I have no idea how they found me on the east coast, but I guess it’s a relatively small world. It’s interesting that the web site they have in the letter (www.idintegrity.com) doesn’t work at the moment. Perhaps their web site uses the obamacare site developers.

  19. I got this letter in today’s mail, NEVER went to anything what so ever connected with MCC schools, attended U of A in the 70’s, period. What I don’t understand is how they even found me or would possibly have had ANY data on me in their system. I already do pretty heavy credit monitoring and have fraud alerts on all my files so no one can open any credit in my name without me being personally contacted to verify the info. I know this works because when I have tried to open a new account I can never get “instant approval” even though I have a very high FICO score and call always qualify.

    So folks, a word to the wise, you don’t need to give these people any info, just contact the 3 major credit bureaus, let them know that you are concerned that you COULD be a victim of identity theft due to exposure of your info from MCC, tell them to put a fraud flag on your file. It will slow down you getting credit by a couple of days and will result in a phone call from the the security people at the institution you are applying for credit at, but you won’t find anyone able to get credit in your name either.

    The alerts are good for 90 days and will be auto renewed by the various bureaus, this is all FREE, don’t let them talk you into paying for any monitoring if you don’t want it, this will stop the bad guys. You need to contact Equifax, Experian and Trans Union and you can find their info here: http://www.fdic.gov/consumers/consumer/news/cnwin0203/three.html

    I hope that helps!

    • thank you very much for the tip! I am guessing that the credit bureaus will be a little hard to reach by phone for a while with 40 million distraught Target customer running around out there!! I’ll probably go the certified mail route.

  20. What is amazing is that this is blamed on employee misconduct and yet no one is questioning the people that controlled the finances and made the decisions. This has been a train wreck waiting to happen for years. Software was outdated because so many custom modification were done and not documented, that it was impossible to update before the software lost support . Similar to losing support for Windows XP. If Maricopa does have breach insurance, I doubt it will cover a breach caused by ignoring security best practices. It’s not like the District hasn’t been warned about the risk, they simply put their heads in the sand and hoped it would go away. I doubt, even in 7 months, all the data has been identified and no one has indicated when or how long the breach has been going on. The District only found out about after the FBI notified them, it could have been going on for years!

  21. My son received one of the letters on Friday. I don’t think he has even set foot in Arizona. I don’t know what’s going on with these letters but will be calling the school for sure to follow up.

  22. I haven’t gone since the 80’s. My son who has been going since 2007, still enrolled, hasn’t received any such letter. The letter looked suspicious to me.

  23. My girlfriend and 90 yr old grandmother also got these letters and niether have ever registered at any college let alone one affiliated with MCC. Hmmmm

  24. Received my letter today. This is my second time (first time was from a financial institution) where my information was stolen/misplaced/released/etc.

    I am so sick and tired of institutions not having the proper security in place to prevent these type of things. At least my first time, we received more of an explanation than from MCC. The last time I was given a full-year of the same type of services.

    Granted nothing happened to my credit fortunately, I feel like there needs to be some type of repercussions for these institutions besides the costs of providing these services to those whose information was taken.

    My last experience with the financial institutions provided me with a “good” type of service which was highly reviewed online. I am extremely disappointing with the service MCC provided to me. This website is poorly built and leaves the user confused and wanting more information than what is provided online, without having to call a freaking toll free number. I searched for reviews about this service and found Nothing which causes suspicion.

    I would not be surprised if the Chancellor or someone affiliated with MCC has a “relationship” with this id theft parent company, or they chose this company because of the low cost (which the appearance of the site would imply). I do not want to talk to a licensed investigator, I want to go online and check all statuses of my credit report and be able to view details.

    The 8 month time delay between the incident and my letter is appalling. My letter says October 18th, they determined my information has been accessed, while this article says April.

  25. Please help!!

    I got this letter as well today in the mail! I am not sure if I should trust this letter or not. I attended college in Northern AZ at a private university for aeronautics. This was in Yavapai County and NOT in Maricopa County. Something is really strange here. Please help!

  26. I am just wondering if anyone has looked at or registered on idintegrity.com? I got this letter about 7 days ago and I am just wondering if I should look into the idintegrity website or if I would be better off talking to my bank to have my accounts monitored. Any idea?

  27. Same letter as the rest. Have recent credit card fraud, but I believe it is not related to this subject. MY GUESS is that the breach occurred a couple of years ago. Had ID theft from Arizona, using my identity, but as a female with slight change to the name. I would never have known this, but OPM contacted me due to my security clearance to go to the a Social Security office and fill out a reporting form.
    Notice how the Chancellor was recently appointed to the Homeland Security advisory council…..my guess is this is a payoff for all the illegal alien voters he brought to the Dems in 2012.

  28. I too received the letter in the mail. Rather concerned of any security breach etc. and cannot even remotely figure out how I recieved a letter. Never attended Maricopa or its colleges that I recall unless I took a certification course or something. I dont know but one thing is certain, in no way am I going to use the provided idintergrity site or give any info to them. Something smells fishy with all of this. Beware!!

    • Yes, I’m waiting for a formal statement from MCCC that I can post to this blog, but it seems a lot of people may have take online certification or re-certification courses for their work (fields like EMT and other fields) and never realized that MCCC was involved in their course.

      IDintegrity is legit. Kroll is a huge well-known firm. I will be speaking with them tomorrow about the IDintegrity web site as it just doesn’t inspire confidence in the average consumer who doesn’t know about Kroll.

  29. 2.3 million letters notifying people their id may have been stolen? Just the postage alone is astronomical. What idiot would leave millions of Arizona citizens vulnerable with their sensitive data laying around for hackers to steal? What is this place the ACA website? This is a crime by the community college. They will be getting sued up the ying yang over this one. Stupid twits.

    What I want to know is what they are doing to purge the records of students once they stop taking classes.

    • This reminds me of the NSA trolling for information to give to the IRS so they can attack political enemies that don’t agree with the liberal progressive idealism .

      • PEOPLE: Of the government, by the government, for the government!! Welcome to the future! Throw ALL the bums out!

  30. I decided to join LifeLock instead of that this letter says. I received two letters at home one for me and one for another person I have never heard of before. It is $25 a month for LifeLock and I know they are a legit service.

  31. Ok people…..lets get organize. we need someone that lives near the school and can go and talk to them and let us know whats going on. and if we are going to do lawsuit get a hold of a lawyer that knows how to deal with this. if u dont live in that state, u probably did a certification online which is done by MCCC and thats how they got your info.

    • How about a class-action lawsuit?

      Like many of you, I have never attended the school and have not lived in AZ since 1999. Yet, here they are maintaining my confidential information on their unsecure servers. Interesting they know my current out-of-state address. The response from their call center is pure nonsense and they tell me that they intend to maintain my data forever due to AZ Statue ARS41151, despite my explicit request to purge it.

      • Yeah the same here don’t live in AZ and have never attended one of their school’s. I think A Lawsuit is in order.

      • I definitely think there is some sort of data/personal information share going on between colleges. I was accepted to ASU, moved to Phoenix for 8 weeks and decided it wasn’t for me and moved away — never attended a single class at asu, let alone anything to do with Maricopa CC. Info sharing had to have happened with other schools too, which I am NOT ok with! And that needs to be investigated further.

      • I think Lifelock for life would be a more fitting penalty for them!

  32. Danny I never gave them my current information and haven’t been in AZ in about 11 years.

    This whole thing is atrocious and I think a lawyer is needed. The article I read said the FBI caught wind they were selling our information, these school workers. Our identities being stolen and sold like that is unacceptable in my opinion.

  33. In this news article in explains how you personal info was corrupted even if you were never in AZ, and explains the letter we all received is legit and not a sell you letter but to break your personal info. You can also run a search engine on identity theft. Chase has a idenitity theft kit filled with info to protect yourself from id theft and account take fraud. I never use my MMN on my debit and credit cards anymore. Change it to a Password.
    http://www.azcentral.com/news/arizona/articles/20131206id-breach-may-cost-mcccd-million.html

  34. We knew the site got hacked a few years ago, because the FBI contacted us before. We hired a security company to come in and help fix it. We begged upper management to let us wipe the server and start over and they refused. The contract to pay for those services are discoverable through AZ public records law. Someone just needs to be a journalist and look for it.

    • MCCDCD claims that in January 2011, the FBI contacted MCCCD and informed IT that one database was up for sale on the Internet. They claim they then conducted an internal investigation and then brought in Stach & Lui to investigate vulnerabilities, etc.. S&L issued a report that went to IT, but according to MCCCD, that report was never seen by executive leadership. They claim that in May 2013, while investigating the newer FBI report that there were now 14 databases up for sale on the Internet, they learned that IT employee(s) had withheld crucial information from Stach & Lui in 2011, and it was the withholding of that information/obstruction that was ultimately responsible for the 2013 episode.

      In other words, they’re hanging this on the bad behavior of one employee, it seems.

      If you know otherwise, I’d love to talk to you. I don’t have time/resources to do FOI requests for every breach and am busy investigating another breach, but if you’ve got something usable/reportable, I’m all ears.

  35. My two daughters and myself all received the same letter in the past week. None of us have attended MCC but I think we all may have looked into classes there. So not sure what information they may have had about us. The link to the website doesn’t work, that’s how I ended up here. Sounds like a scam to me!

  36. I have never taken Classes In Arizona Beyond 8th Grade and haven’t lived in AZ Since 1992. How Do They Have MY Personal Information?

  37. There needs to be a class action lawsuit filed… I am so upset. I applied at MCC, but decided not to go. This is what I get?

  38. Yup. I got the same letter today. My brother as well. We both currently live in the same house and both went to MCCC.

  39. I received the letter about a week ago and I’m glad I found this site. I’m not too worried though, since my letter indicates no credit card info was taken.

    Now that we’ve been told the NSA is capturing not just all email, but recording cell phone locations too, I think we have bigger things to worry about.

    Hopefully, our Justice Dept. will gather some courage and start to deal with data breaches and theft, unauthorized sharing of personal info, and unethical violations of privacy.

    I plan to check back here for updates to this goofy situation.

  40. I received the same letter, though I still think something seems fishy about it. I attended SCC in the early 90’s.
    I’ve since moved to 3 different states and never contacted MCC to have them update my records… So, how’d they find me?
    Granted, this may be one reason it took so long for them to send out letters to those of us at risk.

    If this really impacts 2.3 Million people why isn’t there more reporting being done on the subject from reputable news sources (granted, what’s reputable?).
    I searched Google and didn’t find any of the big syndicates running this story. I only found sites I’ve never heard of like this one, azcentral, bizjournals.com, esecurityplanet… etc. running with the story. That’s concerning to me. (No offense to this particular site – it may be reputable, I’ve just never heard of it).

    I would love to hear that this is just a scam to get us to sign up with some credit protection company. Fingers crossed…

    I think a call to the 3 National Credit Bureaus to add a ‘fraud alert’ is the best option.
    Equifax, Experian, TransUnion

    Good luck…

    • Most members of the public don’t know about my site until they go looking for coverage on a particular breach because Google doesn’t index this as a news site because I publish under a pseudonym. My site is very well-known, however, among those who research or are concerned about data breaches, and many mainstream reporters use my site for information on breaches. IOW, yes, this is a reputable site. :)

      As to why the MSM haven’t picked it up more, that’s a great question, but I suspect that breaches like this one, while tremendously impactful for those affected, are a drop in the bucket when it comes to breaches. In this past year alone, breaches have exposed over 700 million records, so MSM tends to focus on breaches that each impact tens of millions of people.

      Sad, isn’t it?

      • I received the letter also and have ever attended MCC. I understand security breaches, but how did they get any information about me and why are they storing it??? I’ve never been affiliated with any community college in AZ. So what’s up?

  41. I received the letter a few weeks ago and have been thinking about doing something… I was a wine maker/grape grower instructor for several years at MCC. Haven’t lived in AZ for the past 6 years. The letter look fishy to me too. As does the IDIntegrity website – very low cost/bad impression design.

  42. Hubby and I also got one. I too would like to know how they got our out of state address. Not signing up with the Idintegrity site. Too shady. Will put a credit freeze on our accounts with the big three instead.

  43. Got the same letter….sounds fishy. Definitely going to contact credit bureaus-don’t trust this company letter from them. Keep posting updates because I will be following them!

  44. Got one of the letters. Called the toll free number. I did take a few classes to prep me for a state licensing exam back in the early 90s but didn’t know they were part of MCC. I was told they found me and everyone else by hiring a professional investigation firm so it looks like no one can hide anymore. I was going to sign up at this ID Integrity but after reading all the above, I will stick with the 3 credit reporting agencies. The bummer is that all the expense to cover their rear will probably increase my property taxes. Please include me in any future actions and I will check in at this site too. Thanks for doing this.

  45. I received my letter yesterday and googled it to see if it was a scam. I live in MN and have never even applied to MCC so I have no idea how they even got my information.

    I want action!

  46. I too have received this letter and did some additional checking. I called the Maricopa Community Colleges (there are about 10 different county colleges they cover) at 480-731-8000. Their address is: 2411 W. 14th Street, Tempe, AZ 85281. The phone line directs you to a call center they set up to handle calls regarding this issue. I spoke to them and found out that MANY people are demanding that their information be removed from MCC’s computer systems.

    Of course they are claiming that AZ law prohibits them from destroying “public records”. The call center person was not well informed, so I am supposed to get a call back from someone who is better informed and I will be discussing with them whether my personal info is a public record.

    I am appalled at how MCC waited 8 months to notify people and then failed to put any information in the letters on how to contact them.

    • Left messages with 3 different people about purging my information. That was 3 days ago.

      How about a class action law suit?

  47. This came addressed to my mother at the PO Box that I set up for the exclusive purpose of filing her bankruptcy. I did this because she is vulnerable to scams, and expected there would be many after the bankruptcy, as the mailing address is a matter of public record. I’m pretty sure this is 100% scam, unconnected to Maricopa Community Colleges. It would behoove Rufus Glasper and MCC to nip it in the bud, or confirm it on their own website.

  48. I just called the toll free number in the letter and it connects you to the Kroll company. I spoke to them and found out through some pointed questioning that the security breach was an internal breach by one of MCCC’s employees. Can’t imagine why they did not put that info in their letter instead of the nonsense about how they were, “…applying increased security controls”. Also, in order to get the Kroll company credit monitoring service, you have to give them all of your personal information and hope that their employees are honest.

    • All credit monitoring firms will need your personal information, including Social Security number, to monitor your credit reports. How else can they determine which person to monitor and what the information should be? Have some of these firms experienced insider breaches where a dishonest employee misused info? Yep, but the alternative is you spend the rest of your life placing a fraud alert on your credit reports every 90 days or so. And if something happens (like ID theft) and you didn’t sign up for the free credit restoration services, then you’re left dealing with them at your time, expense, and frustration.

  49. My letter dated 12/11/13. I have a feeling that the letter mailings were staggered to avoid a healthcare.gov type crashing of inadequate systems at idintegrity.com. Heads up to anyone using the service: it is monitoring only!! It will not show you any history. do not expect to see your credit score or your credit report after signing up. Kind of useless if you ask me.. since damage could have been done at any time that MCCCD had their heads up their a$$ over the last several months that it took between knowing there was a potential breach, and telling the effected parties. Disgraceful. The chancellor is a CPA! Any CPA worth his salt will know about proper implementation of system/process controls. He should resign.

  50. I received the letter dated Dec. 9 regarding MCCC security incident. MCCC offer security monitoring through idintegrity.com Who are they? Are they Kroll Advisory Solutions at http://www.kroll.com?
    or http://www.krollcybersecurity.com/ Who certifies their safe guarding of information? Why would I just enter my social security out onto another web site offering free monitoring with absolutely no recourse or insurance for safeguarding my data. We should be offered an insurance policy against financial loss.

Sorry, the comment form is closed at this time.