AZ: MCCCD release findings from cyber security breach investigation

ABC reports: The Maricopa County Community College District is releasing the findings from an investigation into a cyber security breach that happened earlier this year. In March, the college district announced that suspicious activity was found on their network which resulted in a system shutdown. […] A forensic investigation determined MCCCD likely identified and prevented a potential ransomware attack before the attackers could encrypt systems. Read more on ABC.

Update: Four years later, is MCCCD still trying to cover up alleged security failures?

Sometimes it’s easy to forget that although a breach may be in the headlines for the proverbial 15 minutes, the impact of some breaches and resulting litigation may go on for years. Back in 2011 and and 2013, DataBreaches.net reported on breaches involving the Maricopa County Community College District (MCCCD).  The earlier breach appeared to be a relatively small one that I had learned about through a paste showing multiple entities’ data for sale. But the second breach, the one disclosed in 2013, was big. In fact, it appeared to be the largest breach ever reported by a post-secondary educational institution in this country, and I think it probably still holds that unfortunate record. But the proverbial dung hit the fan when it came out that the second breach might have been totally avoidable had MCCCD properly remediated the first breach. Eventually, this blogger  filed an FTC complaint against MCCCD under the Gramm-Leach-Bliley Act, asking the FTC to investigate the college’s security failures (as revealed by documentation this site had obtained from a variety of sources). EPIC also filed a complaint asking the FTC to investigate MCCCD’s alleged data security failures under its GLBA authority. As far as I know, the FTC never investigated. Whether they declined to investigate due to lack of resources or for some other reason is unknown to me. I recently learned, however, that a former employee of MCCCD, Miguel Corzo, is still tied up in litigation against MCCCD. MCCCD had appeared to have pretty much thrown him under the bus, trying to blame the 2013 breach on him. And I suppose that I shouldn’t be so surprised, but it sounds like the college is still claiming ignorance of a number of reports and warnings they had allegedly been given before the 2013 breach. Back in 2014, as part of DataBreaches.net’s investigation into the MCCCD breach, this blogger interviewed or exchanged email communications with a number of then-current and former MCCCD employees and contractors. This site also obtained state audits from public records searches as well as copies of reports prepared by external contractors and/or employees. Among the files and reports  this site obtained were some very bluntly written reports warning MCCCD of what would likely happen if they didn’t take certain actions.  Some of those reports were sent to me with a statement that the reports  had been handed directly to the then-Chancellor and “all members of his Vice Chancellor group” at the beginning of 2013. The reports obtained by this site included four Word files named, “OnGoing Risks,” “Risks_Associated_With_No_Action,” “Key Transformation Success Factors,” and “Transformation Readiness Questions,” as well as other files titled, “MCCCD – Incident Response Consulting 2011 – Tactical Project Recommendations” (a consulting report from Stach & Liu), “Maricopa_Risk_Assessment_v3 (a PowerPoint file prepared by Oracle), “Maricopa – Security insight Slides2 (a PowerPoint slide), and “First Draft – Information Security Program – 06012011” (a Word file). Other relevant reports are mentioned in a partial chronology published in this post and in this post. For the most part, DataBreaches.net did not publish the reports this site obtained, for fear that publication at that time  might provide criminals with a roadmap for how to successfully attack MCCCD (again) if MCCCD still had not remediated certain vulnerabilities. But the fact that this site didn’t publish all the reports or name the former employees or contractors who provided this site with reports and statements doesn’t mean that the reports do not exist or that they were never given to MCCCD prior to the large 2013 breach. It’s time for any cover-up to stop.

Did MCCCD leadership shut their eyes to a database security assessment for plausible deniability in litigation?

A former Maricopa County Community College District employee alleges executive leadership closed their eyes to a report on their database security conducted after their massive data breach in 2013 so they would have plausible deniability in any litigation. As a result, the employee alleges, the findings were never shared with those tasked with securing MCCCD’s data assets.  In November 2013, Maricopa County Community College District (MCCCD) disclosed that they had been informed by the FBI that 14 databases with personal information had been found up for sale on the Internet. The potential compromise of 2.5 million students’, employees’ and vendors’ personal and financial information currently stands as the largest breach ever in the education sector. As part of its continuing investigation into that breach, DataBreaches.net recently disclosed parts of a report issued by Stach & Liu in 2011 after an earlier hacking incident. Failure to properly remediate that breach had been cited as a factor in the 2013 breach. Of special relevance now, MCCCD’s external counsel had asserted that MCCCD administration at the highest levels never even knew of the report’s existence until after the 2013 breach. Their claim was disputed by former employee Earl Monsour, who stated he had delivered the report to the Vice Chancellor for ITS. Today, DataBreaches.net can reveal that following the massive 2013 breach, there was a database security assessment that MCCCD has not shared with its own personnel nor the public.  Will MCCCD leadership claim they have never seen this report, too?  According to a former employee, if the Chancellor and executive leadership do claim they never saw this report, it is because MCCCD did not want to see it for fear it could hurt them in litigation. According to the former employee who spoke with DataBreaches.net, Oracle had been brought in to assess database security following the 2013 breach, but  MCCCD subsequently tried to stop Oracle from delivering their report to MCCCD: (MCCCD) made it clear that if they did not see it (the report), they could deny it… they then put Oracle on notice they were going to go after them as this was going to cause harm to their case. There is no mention of retaining Oracle in MCCCD board minutes following the 2013 breach and no mention of Oracle conducting any security assessment in the timeline of steps Wilson Elser stated the District took following the breach. Wilson Elser’s timeline, submitted in November 2013, names Stach & Liu and Kroll Advisory Services and describes their roles, but never mentions Oracle. The former employee claims that to MCCCD’s great upset, the Oracle report was delivered, but MCCCD leadership did not look at it: To be clear – no one at MCCCD leadership saw this… did not want to see it… did not want it on their servers…  they were pissed to the max that this document was sent to MCCCD. The legal teams did everything in their power to never let this see the light of day… and it has not.  Therefore, nothing that was recommended by Oracle was done as part of the official MCCCD remediation plan. It is one thing for lawyers to claim a report is privileged or work product and exempt from public disclosure or disclosure to any adversary in litigation. It is quite another thing for those responsible for securing tons of personal information to intentionally not read a report they presumably paid for and that might contain important vulnerabilities or problems that should be addressed to prevent future breaches. Should there be another massive data breach, and should it be determined that the vulnerabilities had been identified in Oracle’s 2013 report, the consequences to the District and taxpayers could be significant. So what was in Oracle’s June 2013 “Database Security Healthcheck”  that MCCCD’s leadership allegedly did not even look at? Because this blog does not want to provide hackers with a roadmap to attack MCCCD if MCCCD still has not adequately secured its network and systems, the full report will not be published here at this time. DataBreaches.net will, however, note just some of the problems the report identified (without the elaboration or recommendations that were provided in the report). The categorization as “severe,” “significant,” and “moderate” are Oracle’s labels: “Network Not Secure” (Severe Risk category) “Default Application Accounts PW Not Changed” (Severe Risk category) “Unsecured Access to Servers” (Significant Risk category) “No Tool SQL Injection Prevention” (Moderate Risk category) As noted above, the preceding are just some of Oracle’s findings included in their report. In many cases, Oracle’s report described MCCCD’s then-current security for an identified issue as “none.” Lack of Transparency a Long-Standing Problem at MCCCD? Some of the issues raised in Oracle’s June 2013 report are the same issues Oracle raised in its April 2008 “Insights” report. To be fair to MCCCD, many of the issues raised in the 2008 report required vendor solutions or solutions were not even available at the time. The April 2008 report was submitted to MCCCD one month before MCCCD experienced an unrelated data leak in Peoplesoft due to a programming error that allowed any user to query the database for any of millions of users. Although MCCCD claimed that the exposure only affected people with the last name of “Gilford,”  former employees tell DataBreaches.net that they believe that the entire database could have been queried during the few weeks before the error was detected. In 2011, MCCCD experienced a breach involving a MySQL database on public-facing web servers controlled by the Marketing Department.  While that breach was relatively small as such breaches go, sources tell DataBreaches.net that they felt “lucky” it wasn’t worse, and knew that if they did not secure the web servers, the next breach could be much worse. And it did get worse, they say, because MCCCD administrators ignored or rejected the advice of employees who tried to secure the system and who repeatedly urged MCCCD to quickly replace the badly compromised web servers. Yet, despite the fact that it had still had not replaced the compromised web server that had been brought back online, and despite the fact that its monitoring system was in shambles, the Vice-Chancellor of ITS gave a report to the Governing Board in March 2012 where the Board minutes reflect he asserted that the District was “very consistent” with the industry and things were “very good about […]

MCCCD fires IT manager who warned of security breach

The Maricopa Administration is accusing me of not doing a job that wasn’t mine to do, being responsible for systems that I wasn’t responsible for, knowing about a security document that was never shared with me, not communicating upwards when I repeatedly did so, not protecting Maricopa data when the data that was stolen was not my responsibility to protect, being the database administrator for databases I had no control over, being responsible for compromised systems that were not under my supervision, performing below standards when my supervisor evaluations pointed to the contrary, not doing enough during an incident in 2011 when I was onsite, working with my staff and others to help Maricopa address a small security breach. Why is the Administration turning a blind eye on all these facts? Why did the hearing committee ignore all these when making their recommendation? — Miguel Corzo, appealing to the Governing Board of MCCCD Well, I expected this, but am still sad to hear that MCCCD fired an employee who maintains his lack of responsibility for the security failures at Maricopa County Community College District that resulted in the theft of 2.5 million people’s personal and/or financial information. Jared Dillingham reports: Read more on AZFamily.com. Why did the board – with the exception of one board member – deny him the chance to plead his case? This case is not over. In a statement to DataBreaches.net, Corzo writes: I am more than ever determined to see this through. I expected this outcome so I am not surprised. It is now time to bring the Federal Government or higher public body into the picture. Here is the text of Corzo’s statement to the governing board last night (pdf).

MCCCD breach: view from the under the bus

It appears that Maricopa County Community College District (MCCCD) is doubling down on trying to throw employees under the bus in the wake of its 2013 breach affecting 2.5 million. According to a web site created by the attorney for the employees: The MCCCD Administration is accusing Mr. Corzo of not doing a job that wasn’t his to do, being responsible for systems he wasn’t supposed to be responsible for, knowing about a document that was never shared with him, not communicating upwards when he repeatedly did so, and not doing enough during an incident in 2011 when he was onsite, working with his staff and others to help MCCCD address a small security breach.  In 2013 when the second and larger breach took place, Mr. Corzo was no longer assigned to any supervisory or database duties. The ERPs at MCCCD that Mr. Corzo was responsible for were never compromised in 2011. A small database residing on the main maricopa webservers was compromised. This database was the responsibility of the marketing department and the network and server team at MCCCD not Mr. Corzo’s team. Read more on  Maricopa Security Breach. The residents, taxpayers, and governing board of MCCCD should not allow this travesty to continue. Documentation provided by Mr.Corzo and others raises serious questions about both due process and the accuracy of the administration’s accusations. As I’ve said before, this case calls for an independent investigation – by Arizona’s state legislature, the state attorney general, Congress, and the Federal Trade Commission. The 2.5 million who have been at risk of identity theft deserve no less. The employees who claim they have been scapegoated and falsely accused deserve no less. And the taxpayers and students of Maricopa County who are now paying more tuition because of the breach costs deserve no less. Will the MCCCD governing board agree with the chancellor’s recommendation to terminate Mr. Corzo’s employment when the board meets tonight, or will they actually read his lengthy annotated response to the charges and give him an opportunity to testify to them and to call the witnesses he has always sought to call?  For the sake of MCCCD and fairness, I hope it’s the latter. Update: See coverage by Mary Beth Faller in today’s Arizona Republic.

The MCCCD breach: Breach costs now approach $20 million

Mary Beth Faller reports that breach costs for the Maricopa County Community College District (“MCCCD”) breach continue to rise: The Maricopa County Community College District governing board has approved an additional $2.3 million in lawyers’ fees to deal with the computer-security breach that occurred last year. The board also approved spending $300,000 to deal with records management, pushing the total amount authorized for the breach to nearly $20 million. Read more on AZCentral. Previous coverage of the MCCCD breaches can be found by searching this site for “MCCCD.”

Commentary: We need a congressional inquiry into the MCCCD breach

President Truman had a sign on his desk that said, “The buck stops here.” We could use more of that accountability when it comes to data breaches in the education sector. Back in 2006, when I first began blogging about data breaches on PogoWasRight.org, I covered a series of breaches at Ohio University. One of the things that made the Ohio U. situation newsworthy was that the university publicly fired two IT Managers.  The firings made sense to some, who suggested that having heads roll might be a smart public relations move to show that the university took the breach seriously. But shouldn’t the heads that roll be the heads that were responsible? The two Ohio University employees were subsequently found to have had no responsibility for the breaches. Stunningly, even though a grievance committee recommended reinstatement and an apology, the provost decided she  would not rescind the firing because they “”failed in their responsibility for designing and maintaining a secure network.” Firing employees for not providing a secure environment after you’ve ignored their recommendations that might have prevented the breaches seemed somewhat unfair to me. And that’s what seems to be happening again in the aftermath of the Maricopa County Community College District (MCCCD) breach that I’ve been covering on this blog since last year. When MCCCD finally – seven months after they were informed of the breach  – issued a statement and started notifying those affected, their notification to state attorneys general blamed IT employees who allegedly failed to live up to MCCCD standards and obstructed the investigation into the 2011 breach, allegedly thereby leading to the 2013 breach. In the wake of the massive data breach, a number of employees resigned or were forced out. Based on information I’ve continued to review in my investigation,  I suspect there probably were grounds to hold a few of them somewhat responsible. But what is concerning to me is that MCCCD initiated disciplinary proceedings against two employees – Miguel Corzo and Earl Monsour – who wouldn’t be forced out because they had done nothing wrong and refused to become scapegoats for MCCCD’s mismanagement of its IT department and data security. It is Ohio University all over again. Based on MCCCD’s organizational chart for its ITS department in 2011, neither Corzo nor Monsour had any responsibility for the web servers that were  compromised in 2011. After the breach, they were asked to help and they tried repeatedly to get MCCCD to deploy appropriate security programs and controls that would have prevented the 2013 breach. Indeed, their efforts to address MCCCD’s inadequate security programs and policies began years before the first breach. – In 2009, Corzo authored a strategic report to the District that made numerous recommendations that would be considered industry standard. His recommendations were allegedly dismissed by Vice Chancellor Kahkedjian. – After the January, 2011 breach, Corzo, Monsour, and others, including Martin Gang (who left MCCCD in 2011),  quickly identified the problems leading to the 2011 breach and what needed to be done to remediate it. They repeatedly tried to get MCCCD to implement the recommendations of external consultants and ITS personnel. – When MCCCD didn’t address the security issues in a timely fashion, Corzo and Monsour filed an oversight report. MCCCD allegedly did not respond to it. Nor did MCCCD appear to implement recommendations in a state audit that had noted deficiencies and concerns – recommendations that MCCCD said they agreed with and would implement. – Not giving up in their efforts to address MCCCD’s serious data security deficiencies, Corzo and Monsour escalated the matter by filing a  grievance report in 2012. MCCCD allegedly did not respond to the grievance report, either.  Neither has their Governing Board, to whom the grievance report was recently escalated. Not surprisingly, then, in  2013, two years after it had suffered a similar breach that it had not fully remediated, MCCCD suffered a  massive data breach that affected 2.5 million. And MCCCD pointed the finger at two employees who had no responsibility for the first breach and had tried repeatedly and tirelessly to get MCCCD to implement effective policies and programs? Employees who weren’t even there in 2013? Enough, already! Inspection of the approximately 1,000 incidents in DataLossDB.org involving higher education institutions in the U.S. reveals that the MCCCD breach in 2013 was the largest data security breach ever reported by a U.S. institution of higher education. Has MCCCD and its governing board accepted responsibility or said, “The buck stops here?” No, they have not. They have seemingly tried to deflect blame to two employees who tried to protect customer and consumer information. And while MCCCD has tried to claim that a consultant’s report following the 2011 breach was never given to MCCCD at the “highest levels,” their claim has been loudly refuted by at least three employees who affirm that the report was given to the Vice-Chancellor of ITS at the time. Yes, it would probably be appropriate to have some heads roll in this case, but if heads roll, it should start at the top – with the Chancellor and Vice-Chancellor – where there seems to have been serious failures in management. They need to be held accountable for failing to respond to repeated warnings and for failure to ensure that millions of people’s personal and financial information was adequately secured. Frustratingly, while MCCCD is already facing several potential class-action lawsuits and is spending millions on security upgrades, credit monitoring services, lawyers, and consultants, MCCCD has so far escaped any federal regulators because no federal agency investigates or enforces data security in the education sector. That needs to change. It’s high time the federal government took breaches in the education sector as seriously as it takes breaches in the business sector, the financial, and the healthcare sector. Universities collect and store a tremendous amount of personal, financial, and health information.  This year, parents and privacy advocates have created waves throughout the country about the importance of protecting student data in the k-12 sector. Many of the same issues apply to secondary education. If the FTC can put businesses under a 20-year monitoring plan, and if the FTC can go after Wyndham for repeated breaches and inadequate security, it should have the authority to hold universities accountable for data security, too. Ask not where the buck […]

In split vote, MCCCD extends contract with law firm for data breach-related services (updated)

I usually don’t find news about law firms’ contracts with respect to data breach-related services particularly noteworthy, but in the context of Maricopa County Community College District (MCCCD)’s data breach response, there’s been a  newsworthy aspect. Last year, MCCCD hired the law firm of Wilson Elser to handle their breach response. As I noted on March 20, a law firm has sued MCCCD to compel production of public records related to the case after Wilson Elser failed to provide any requested documents, using personnel matters and concern for not providing a “road map” for hackers as their main explanations for not providing records. Had Wilson Elser advised MCCCD that they could and should withhold the requested records, or had their client instructed them to withhold the records against Wilson Elser’s advice? We’ll likely never know, but the failure to respond to public records requests has now generated additional litigation that may mushroom if media outlets also sue MCCCD for public records. Additionally, employees involved in a personnel dispute over their roles in the breach informed DataBreaches.net that not only had MCCCD failed to provide them with the public records they need to defend themselves from disciplinary action, but MCCCD had gone so far as to demand they return records that had previously been provided to the employees under public records law. Did Wilson Elser advise MCCCD to do this or is this MCCCD’s decision despite advice from counsel? Again, we’ll likely never know, although statements made by one governing board member hint that Wilson Elser may have advised its client on the personnel/human resources aspect of the breach handling and MCCCD didn’t like their advice. [Some of the involved MCCCD employees have created a timeline of the breach that covers the first breach in 2011 and what they allege are their repeated attempts to get MCCCD to respond to the unaddressed and unremediated security concerns.  If documents support the timeline and allegations of Miguel Corzo and Earl Monsour, it’s a very damning situation for MCCCD, who has tried to hang responsibility for the 2013 breach affecting 2.4 million on the employees. The law firm of Gallagher & Kennedy, who represents some of the breach victims in a potential class action lawsuit have now sought the court’s permission for an expedited deposition of Earl Monsour, who reportedly is gravely ill.] In any event, when the MCCCD governing board met this week, one of the items are on their agenda was the extension of Wilson Elser’s contract, although most of the discussion occurred in executive (non-public) session.  The Arizona Republic reports that the MCCCD governing board voted 3-2 to extend Chicago-based Wilson Elser’s contract, but  with an amendment that a Phoenix law firm must be brought in to assist with public records matters and litigation. The two board members who voted against the contract extension reportedly did so because they felt the lawyers had been “condescending” and “overstepping their bounds.” So how did Wilson Elser offend its client – or at least two members of the governing board?  The Arizona Republic reports: Board members Debra Pearson and Randolph Lumm voted against extending Wilson Elser’s contract on Tuesday night after questioning the way the firm has dealt with the district. “I have confidence that we can find a Phoenix firm that will not be condescending and talking down to us and doing things that are inappropriate and out of order,” Pearson said. She proposed terminating the Wilson Elser contract and hiring a local firm exclusively to handle the security matters. That motion failed. The district’s staff attorney, Lee Combs, said that Wilson Elser has projects under way and that dropping the firm would be “extremely inadvisable and wasteful.” Lumm said he felt as though Wilson Elser’s lawyers were telling the district what to do. “My concern is that I don’t want a law firm telling us how to run IT, telling us how to run HR,” he said. “I think they’ve overstepped their bounds. I think it’s inappropriate for out-of-state lawyers to come in here and say, ‘You need to structure your IT this way.’ “We asked them for security advice only, and when they start reshaping our IT, that’s out of order.” If MCCCD’s handling of IT and/or human resources was so problematic as to put them at risk of more litigation (the EEOC has reportedly contacted MCCCD after employees filed a discrimination and retaliation complaint), I would hope that their law firm would advise them on the human resources aspect of their breach response. Perhaps the problem is not with the law firm in this case, but with the client? MCCCD is a publicly funded institution that has seemingly seriously dropped the ball on data security. It has not been forthcoming with all stakeholders about what happened in 2011 and after that. Instead of criticizing their law firm, governing board members should be taking a long hard look at management at MCCCD to see whether the employees’ allegations of non-responsiveness to the 2011 breach caused the current problems.  And they should immediately correct course and start releasing public records. I think it’s reasonable to predict that the litigation against MCCCD will likely continue to mount and other plaintiffs – breach victims, employees involved in the breach, and media outlets – will likely join the fray. Stay tuned, as DataBreaches.net will continue to follow this case. Update: ABC obtained the grievance report filed in 2012 by some of the ITS employees that pointed out the high risks and noted that recommendations made in 2011 had not been implemented. One of the employees involved informs DataBreaches.net that they never received a formal response to the grievance filed almost one and half years ago.  Documents such as the grievance report really challenge MCCCD’s attempts to blame employees for not making them aware of the situation or risks, and the employees who are sharing their story with the media in response to MCCCD’s attempts to blame them or to cover up failures at the administrative level […]

Another notice of claim filed against MCCCD following massive breach

Another lawsuit has been filed against Maricopa County Community College District. From the press release by the law firm: Gallagher & Kennedy has served the Maricopa County Community College District with another notice of class-action claims on behalf of approximately 2.5 million students, parents and others whose private, confidential information was compromised in a massive data breach. The information included names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, demographic information, and as-yet-unspecified “enrollment, academic and financial aid information.” In April 2013, the FBI notified the District that this information was available for sale on the internet. Since then, the District has publicly acknowledged that the data breach “was due to substandard performance of [the District’s] IT workers,” and that the District had previously been notified of security vulnerabilities which went unaddressed. Moreover, the District’s counsel has disclosed that before beginning to notify those affected by the breach, the District took “remedial” action which prevented consultants from determining the extent to which the data had been accessed without authorization. Unlike other potential claimants, the claimant in this notice, who has been adjunct faculty at MCCCD for a number of years, recently became a victim of ID theft. The complaint has been redacted by the law firm prior to uploading to their site: Although [redacted] is very sensitive to the potential for identity theft, and takes great care to protect the secrecy of her PII, a thief with access to her PII recently opened a BillMeLater credit account in her name, using, among other things, her full name, address, date of birth and Social Security Number – information clearly obtained by the identity thief from the District’s 2013 Breach. [redacted] was extremely fortunate in that she already had a PayPal account when the thief attempted to steal her identity. Because BiliMeLater is affiliated with PayPal and PayPal had [redacted] email address on file with her existing account. The discrepancy between that email address and the one provided by the thief led BillMeLater to make contact with [redacted] directly, at which point she learned of the fraud. Nonetheless [redacted] experience (and that of many other class members) confirms that the PII available on the internet was in fact misappropriated, has in fact has been misused, and will in fact be misused in the future. And notwithstanding [redacted] efforts to respond to the situation (for example, filing reports with the police and FTC and putting fraud alerts on her credit), there is nothing she can do about the fact that her PII was disclosed to one or more criminals whose identity remains unknown, and that confidential information will remain in the public domain permanently.

Costs continue to mount in MCCCD breach

While I continue to wade through materials sent to this site concerning the Maricopa County Community College District (MCCCD) breach, Mary Beth Faller has an update on the costs of the breach: The cost to deal with the breach in the computer system at the Maricopa County Community College District could total $17.1 million, with most of that spent on lawyers and services to the millions of people whose personal data was exposed. Over the past 10 months, about $6.8 million has been authorized to repair the system. In November, the district disclosed that hackers had invaded a server in April, exposing Social Security numbers and banking information of 2.4 million current and former students, faculty members and vendors from as long as 30 years ago. Read more on AZcentral.