Maricopa Colleges waited 7 months to notify 2.4 million students of data breach

Mary Beth Faller reports some interesting details about the Maricopa Community Colleges breach noted previously on this blog:

The Maricopa County Community College District waited seven months to notify 2.4 million current and former students and employees that their academic or personal data were compromised in an April security breach.


The FBI notified the district on April 29 that it found a website advertising personal data from the district’s information-technology system for sale, Gariepy said. The district’s website was taken down that day and stayed down for several days before being restored in stages.

Gariepy said the district didn’t release information about the event at the time because it was investigating the extent of the exposure.

“There was a tremendous amount of data, and the forensics investigation around this was very complex,” he said. “They had to look at a number of different systems and servers and databases.

“It would have been nice to say something earlier, but we couldn’t give anyone information until we could say it with certainty, even if it’s not conclusive.”

At the same time, the district was repairing its information-technology system and didn’t want to publicize that it could be vulnerable, he said.


About the author: Dissent

14 comments to “Maricopa Colleges waited 7 months to notify 2.4 million students of data breach”

You can leave a reply or Trackback this post.
  1. Jack - December 10, 2013

    After all of the data was stolen, they “didn’t want to publicize that it could be vulnerable?”

  2. David Berrey - December 11, 2013

    If anyone is interested in opening a class action law suit my data was put in danger as well email at [email protected]

    • robvettor - December 17, 2013

      Count me in on a class-action law suit: [email protected]

      That they maintain sensitive data on unsecure servers is negligent. That they do not notify you of the breach for 8 months is reckless.

      Want your data purged? Try calling them and asking. They flat-out refuse to do so — even when you never attended the school.

      Then, they downplay it, saying, well, err, we’re really not sure that there is a problem. While setting up a call center and allocating $14 million dollars to cover the problem.


      • Hiede - December 18, 2013

        How is it that they have the data of people who never attended the school?

        • Melinda - December 27, 2013

          This is exactly what I’ve tried to find out. Kroll/ID Integrity does NOT have this information about database sources despite Maricopa stating that they could provide that info.

          Likewise, the school refuses to provide it… unless I give their random call center associate MY MOTHER’S DOB AND SOCIAL SECURITY NUMBER, in addition to my own. Which, NO FREAKING WAY.

          I’ve never attended Maricopa CC, but applied to Arizona State in 2004-ish (again, never attended). I’m thinking this is a case of information sharing… and I want to know WHY (any why MCC won’t release how they received information from others who were never students).

          Please include me in any updates.

      • W.T. - December 18, 2013

        plz Include me in class action suit as well [email protected]

        I received my letter yesterday and googled it to see if it was a scam. I live in MN and have never even applied to MCC so I have no idea how they even got my information.

        • Christopher Robinson - December 18, 2013

          Please make me a Class member. [email protected]

    • Kristina - December 23, 2013

      Got my letter a week or so ago, just now had time to sit down & find out if it was legit, thank you google for leading me to this thread. Count me in on the class action suit! [email protected]

    • Jt - December 26, 2013

      I have attended several of the Colleges of MCC but have not attended in at least 6 years.
      As I understand that MCC claims that Az Law requires them to keep the records, Az law probably does not specify the format of such records.
      Therefore an offline archive would have been more appropriate.
      Count me in on the class action. [email protected]

  3. Justin - December 19, 2013

    Please include me in the class action law suit; email me at [email protected]. My information was exposed and I now have 2 incidents of probable ID theft within the past 2 months.

  4. Dakota - December 19, 2013

    As far as I know I’ve never been affiliated in any way with the community college system in AZ. I did attend Devry in Phoenix in the 89,90. So how is it they have any information about me?

    I haven’t lived in AZ for 20 years! And is the “banking” info current or past? I’d really like to know what information they have about me and why.

    Include me in any class action [email protected]

    I certainly don’t trust a web site that immediately asks for personal information and looks like a fake site.

  5. dw - December 24, 2013

    Received my letter last week. plz include me in on any class action

  6. frankie - December 26, 2013

    include me also they fucked me too got my letter the 11th of december 2013

  7. BRUCE - December 27, 2013

    I sent a Certified, signature required, letter telling them to delete All my data from all databases. They said they will get to it as soon as the FBI has completed their investigation. I feel if anyone is unable to keep my information secure from theft, they are not entitled to keep that information. Period. I am also waiting for someone to open a Class Action. I also asked for a lifetime of credit monitoring since my SSN lasts a lifetime. If it was just CC info. it wouldn’t be that big of a deal, like Target. BUT when they let hackers get your SSN, that’s serious.

Comments are closed.