I’m somewhat surprised this took so long.
Back in October, I blogged about a breach involving the Maricopa County Community College District (MCCCD) in Arizona. The breach involved sensitive information such as names, birth dates, Social Security numbers and bank account information of 2.49 million students, former students, vendors and employees. Judging by the almost 100 comments in response to my first post about the breach, there were a lot of confused, frustrated, and/or downright angry breach letter recipients. Much of the anger was completely understandable, as MCCCD had first notified those affected seven months after being informed of the breach by the FBI on April 29. But it turned out that wasn’t the first time the FBI had alerted them to a data breach. The FBI had first contacted MCCCD back in 2011 to inform them that personal information from one database was found up for sale on the Internet. So MCCCD were alerted in 2011, but had a massive breach in 2013 involving many more databases? Was this an epic #FAIL on data security or were the two breaches unrelated in their methods and vulnerabilities? The forensic report has not been made public, so we don’t know for sure, but what we do know is that MCCCD had ample warning to nail down the security of their databases and yet seemingly failed to do so. They also seemingly left the personally identifiable information of former students who hadn’t attended the school in over a decade still connected to the Internet, needlessly (in my opinion) exposing their data to hackers. We also know that someone calling himself an “ethical hacker” reported that he had contacted MCCCD in July that personal information was likely (still) vulnerable on their servers but “nobody really listened to me.”
Trying to be helpful, DataBreaches.net reached out to both MCCCD and Kroll to alert them to problems and questions, but neither ever followed up by providing any statement or clarification that could be posted to help those affected.
Eventually, MCCCD claimed that the breach was a result of staff errors. Specifically, they claimed outside consultants found that the breach was “due to substandard performance of IT workers.” Their claims were subsequently denied by former employees of MCCCD ITS, who contacted DataBreaches.net and alleged that not only had IT been warning MCCCD about vulnerabilities, but MCCCD was now engaged in a cover-up.
The employees also claim they have proof that vulnerabilities were reported and that they tried to alert MCCCD to the security risks. As one self-identified former employee posted anonymously under one of the blog entries (emphasis added by me):
We knew the site got hacked a few years ago, because the FBI contacted us before. We hired a security company to come in and help fix it. We begged upper management to let us wipe the server and start over and they refused. The contract to pay for those services are discoverable through AZ public records law. Someone just needs to be a journalist and look for it.
And as another former employee claimed in an e-mailed statement to DataBreaches.net, they (MCCCD) demoted people who tried to speak up about the security problems.
At the time, the district used Bank One and they should have a record of my emails indicating security risks and I had a meeting with the State Auditors, detailing the risks and asking them to investigate.
Things got so bad, the top DBA’s quit without notice.
… when there is a lawsuit, all they have to do is question anyone that left the IT department in the last 3 or 4 years and they will have enough evidence to sink the ship.
Not surprisingly, some of those affected by the breach have decided they are entitled to compensation and more harm mitigation than what MCCCD has offered to those affected. The law firm of Gallagher and Kennedy represents two clients who have recently sent notices of claims to MCCCD. In a press release issued February 14, the law firm writes:
Gallagher & Kennedy has served the Maricopa County Community College District with notices of class-action claims on behalf of approximately 2.5 million students, parents and others whose private, confidential information was compromised in a massive data breach. The information included names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, demographic information, and enrollment, academic and financial aid information. The District has publicly acknowledged that the data breach “was due to substandard performance of [the District’s] IT workers,” and that the District had previously been notified of security vulnerabilities which went unaddressed.
The notice of claim for the first client was sent December 27. The notice of claim for the second client was sent January 30. Attorney Mark Fuller of G&K informs DataBreaches.net that MCCCD has not responded to either of the notices of claim yet.
In what may be somewhat typical of what appears to be MCCCD’s poor data security and breach response, MCCCD also apparently did not take steps immediately to preserve all evidence and instruct IT staff not to destroy or alter records. This would be pretty standard legal advice in the wake of a big breach likely to result in litigation, but MCCCD’s IT department was not instructed until February 5 – months after MCCCD disclosed the breach and one month after G&K reminded them of their obligation to preserve evidence for discovery. Even when MCCCD Legal advised ITS, ITS did not instruct its staff for another two weeks. The following internal email was provided to DataBreaches.net:
From: ITS Communications
Sent: Wednesday, February 05, 2014 2:40 PM
Cc: [Redacted by DataBreaches.net]
Subject: Confidential and Privileged – Legal Obligation to Preserve Records
Legal Obligation to Preserve Records
On January 22, 2014, MCCCD’s legal offices advised the importance and legal obligation we have to preserve relevant records. ITS was further advised of pending litigation related to a data security incident. Under no circumstance is ITS to recycle nor erase computer hard drives and memory from departing employees. This not only includes any employee leaving ITS but those in the District Building and Emerald Point.
Computer equipment is to be stored in a protected area with a documentation log that includes the following details:
- Departed User
- Name of the person collecting and storing the computer
- Location of Storage
- Identity of ANY person granted access to the computer and why they were granted access
Richard Terrell will be the documentation owner and oversee this important tracking for our legal offices. Richard will be asked to meet with Larry and Sasan, monthly, to review the log.
Additional questions related to this important directive are to be sent to Larry Williams. Larry will be working with Sasan and the legal team to further advise.
Thank you for your cooperation in this matter.
DataBreaches.net will continue to follow the litigation on this breach. And if anyone has additional relevant documentation they would like to share with the public, please e-mail admin[at]databreaches.net