Nov 272013
 

Tim Gallen and Mike Sunnucks report:

The Maricopa County Community College District is notifying nearly 2.5 million students, former students, vendors and employees because their personal information may have been exposed in a security breach.

The Tempe-based college district announced today that it is contacting 2.49 million students, employees and suppliers that their information may have been exposed without authorization.

Sensitive information such as names, birth dates, Social Security numbers and bank account information was exposed, according to the district. MCCCD operates 10 community colleges and also has dual enrollment programs with local high schools.

However, MCCCD officials are not aware of any evidence of any misuses of personal information. Spokesman Tom Gariepy said students or others who worry about identity theft or other fraud can contact a credit services company the district has hired.

“While we are not aware of misuse of anyone’s personal information, we are providing resources to assist all of the people whose information was in these systems, including credit monitoring and other identity safeguards, managed by a nationally known identity protection firm,” said MCCCD Chancellor Rufus Glasper in a statement. “We are examining every aspect of our IT operations, and the changes underway are making us stronger system-wide.”

District officials learned of IT security issues in April this year and began investigating.

Read more on Phoenix Business Journal. In related coverage, KPHO reports that the college district learned of the breach from federal law enforcement on April 29. They also report that names, dates of birth, Social Security numbers and bank account information – but not credit card information or health records – was exposed. Neither news source is clear about the nature of the breach.

UPDATE: I see commenters questioning idintegrity.com as to whether it’s a legitimate service. Note the reference to Kroll on the site. Kroll is a well-known company for cybersecurity issues. Its parent company is Altegrity. You can check them both out. That said, I agree that idintegrity’s web site is lame. They should have introduced themselves and their credentials before asking people to input their personal information.

UPDATE 2 (Dec. 16): I just spoke with MCCC about comments that people do not know why they are receiving letters or how MCCC got their information. IDintegrity should be able to give you that information, but MCCC will be sending me a statement explaining it that I will post on this site when I receive it (hopefully later today or tomorrow). Stay tuned…

UPDATE 3 (Dec. 17): I also spoke with Kroll/IDintegrity today and told them about concerns with the site. I urged them, too, to respond. So far, I have not received any statement from either MCCCD or IDintegrity that I can share with you all. I feel your frustration. And I’ve written another blog post based on your experiences, “There are lessons to be learned from the Maricopa County Community Colleges breach.  Learn them, dammit.”

UPDATE 4 (Dec. 19): I have received no statements from MCCCD or IDintegrity/Kroll to post here. How foolish of them not to respond when people are obviously confused, distrustful, and upset. They’ve provided a case study in how NOT to respond to a breach.

UPDATE 5 (Dec. 20): A self-described “ethical hacker” says all your personal information may still be at risk.

UPDATE 6 (Feb. 19): And now the litigation begins. See this post.

  98 Responses to “Maricopa Community Colleges notifies 2.5M after data security breach (update 6)”

  1. I may be someone who is part of the identity theft, and I can say I am absolutely disappointed in how this was handled, the delay of information provided, the lack of details, and the “Well, so far we don’t think anyone’s information was compromised, but here is a free year of identity monitoring, just in case” bandage they offered. My family member received a letter, today, and she had not attended school there since the early nineties. I am curious to know why her information was not put off-line in an archive, given her long status of inactivity at the college. I attended last in 2006, and I paid out-of-pocket, which means my bank information was exposed. The disappointing casual handling of this incident does not satisfy my pensive fear of finding out someone committed a crime using my identity and I will be detained, or the potential use of my information years into the future. A large amount of incredibly personally identifying information was exposed and placed on the market for sale, and it is a matter of time before it comes into play for criminals.

  2. Elsewhere on this blog, I have posted links to two follow-ups on this breach that you may want to read. You’re asking some excellent questions, but of course, that’s little consolation now that your details may be in the wild or have been sold to criminals.

    Historically, no one has ever really done anything about data breaches in the education sector.

    [Remainder of reply deleted after I realized FTC doesn’t have authority over non-profits. Ugh.]

  3. WOW! I just got a letter today!…I went back and forth wondering if this was real…I thought…what a perfect way to scam the info out of people by sending them a letter telling them to call this company for free monitoring services…. Um I am headed to the college to talk to them directly…I wish they would have set up a number for Maricopa Colleges to handle my call but instead the letter only gives the number to the monitoring service! They can’t even give a number to their offices to answer my questions? What a runaround!…

  4. I just got a letter today too. Talk about your lack of motivation on telling people.

  5. I just got a letter today as well. I too thought it was some sort of a scam. Guess I should go talk to the morons about this. Oh, and way to go on the speedy alert they sent so late!

  6. So they haven’t heard of anyone being affected? I’m currently dealing with ACE Cash Express because someone took out a loan online in my name, with my SSN and address, and ACE is coming to me to collect. I’m in the midst of filing a police report, and I get this letter from MCC. Hmmmmm. Coincidence?

  7. My husband and I have not attended since the 70’s, that right…1970’s and are almost ready to retire and got the same letters. Why did it take from April 29 to notify us. Between April through December our information could have been used to the tune of hundreds of thousands and we just now hear about it. Wow. Thanks for letting me know 8 months after the fact. And…how do they know that nobody’s info has been used. All they have to do is change the address and make a few minimum payments and by the time they stop making those minimum payments, the trail is cold and the victims are left to deal with it.

  8. I got a letter today as well, and I haven’t attended an MCC college or lived in Arizona for TWENTY YEARS. How did MCC find my address? And do I really want to cough up my social security and phone numbers to the presumed credit monitoring service. This whole thing stinks to high heaven. I can’t believe there isn’t more internet buzz about this!

  9. i too received this letter from MCC yesterday. Haven’t attended MCC since the 70’s and am appalled the school still had ‘my’ records available for stealing some 40-odd years later. Seems like these so-called ‘educators’ are too stupid to be operating in todays hi-tech world via a collegiate environment.

  10. My letter said “On October 18th, 2013, we determined that your information… may have been accessed without authorization”. This article says the breach was discovered in April. Did it take 6 months just to to determine who was impacted or is this breach #2 this year???

  11. Has anybody contacted idintegrity.com as of yet? my web browser would not open it. When I made it it was not a scure website.

  12. Just looked it up. Yes it made the news. I to have not been there since the 90’s. Crazy!

  13. I have contacted idintegrity.com. Strange…I keep getting emails telling me changes have been made to my profile and for me to contact them at 1-800-806-3917 to verify my identity? They also have claimed they ordered my Credit Report. Why is this? to get me to give them more information about my identity? This whole thing sounds weird. What took 8 months to notify me of the Breech? Has anyone else had this kind of problem?

  14. I never even went to MCC?????!!! I went to a private school, Bryman. Are they connected or does MCC own Bryman?
    This is ………… weird!

  15. I don’t see Bryman listed as being part of MCCC. Maybe you should call MCC or the number given in your letter and ask how they got your information since you never went to MCC.

    Then let us know, please.

  16. I got the letter today. I never attended this school. Is it a scam?

  17. Call them and ask them how they have your information and ask them what information they have.

    Then let us know.

  18. I, too, received a letter in the mail regarding this issue and it claims I have to submit LOADS of personal info to http://www.idintegrity.com. Does anyone have ANY idea whether or not http://www.idintegrity.com is legit or is it simply some scam-artist trying to piggyback off the news to collect all of this personal data by dropping a mailer?

    Let me know if anyone has any experience with http://www.idintegrity.com.

    Gerald

  19. I received a letter today. I never attended their school. Never worked for them or had any contact with them what-so-ever! My bank called me concerning charges they viewed as fraud last month and I had to cancel my debit cards and have the charges reversed. Something is definitely wrong here!!!!

  20. This whole thing is making my stomach churn.
    For God’s sake, I’m only 20 years old trying to get my life situated and I get this letter today.
    Tried going to the site idintegrity they provided, and it was apparently a broken link. I don’t want to give my identity up to these people if its not legit. Has anyone been in contact with idintegrity??? If so, what is your opinion?

  21. Havn’t tried the wed site yet, may not. wondering, has anyone talked direct to the college?? the news may be triggering off the flap from the letters?? anyone signed up to idintegrity yet?

  22. Received the same letter as everyone else today. But I’ve never attended this school. Hello im in New York and never left this state.

  23. Was a student back in the ’80s and received the letter today. I have no idea how they found me on the east coast, but I guess it’s a relatively small world. It’s interesting that the web site they have in the letter (www.idintegrity.com) doesn’t work at the moment. Perhaps their web site uses the obamacare site developers.

  24. I got this letter in today’s mail, NEVER went to anything what so ever connected with MCC schools, attended U of A in the 70’s, period. What I don’t understand is how they even found me or would possibly have had ANY data on me in their system. I already do pretty heavy credit monitoring and have fraud alerts on all my files so no one can open any credit in my name without me being personally contacted to verify the info. I know this works because when I have tried to open a new account I can never get “instant approval” even though I have a very high FICO score and call always qualify.

    So folks, a word to the wise, you don’t need to give these people any info, just contact the 3 major credit bureaus, let them know that you are concerned that you COULD be a victim of identity theft due to exposure of your info from MCC, tell them to put a fraud flag on your file. It will slow down you getting credit by a couple of days and will result in a phone call from the the security people at the institution you are applying for credit at, but you won’t find anyone able to get credit in your name either.

    The alerts are good for 90 days and will be auto renewed by the various bureaus, this is all FREE, don’t let them talk you into paying for any monitoring if you don’t want it, this will stop the bad guys. You need to contact Equifax, Experian and Trans Union and you can find their info here: http://www.fdic.gov/consumers/consumer/news/cnwin0203/three.html

    I hope that helps!

  25. What is amazing is that this is blamed on employee misconduct and yet no one is questioning the people that controlled the finances and made the decisions. This has been a train wreck waiting to happen for years. Software was outdated because so many custom modification were done and not documented, that it was impossible to update before the software lost support . Similar to losing support for Windows XP. If Maricopa does have breach insurance, I doubt it will cover a breach caused by ignoring security best practices. It’s not like the District hasn’t been warned about the risk, they simply put their heads in the sand and hoped it would go away. I doubt, even in 7 months, all the data has been identified and no one has indicated when or how long the breach has been going on. The District only found out about after the FBI notified them, it could have been going on for years!

  26. I think there has been a number of laws broken, FERPA, to protect student information, banking laws because they exposed account info. They say no health information but what about students in health fields or people that go to college clinics? They also mentioned vendors, I hope one of the vendors wasn’t their health or disability vendors. I think the costs are going to go a lot higher than they have budgeted for. Especially when the news reports how lax the security controls have been. Of course with all the spin and smoke and mirrors, the people that should be held accountable will be long gone. Breaches happen but not at this scale

  27. My son received one of the letters on Friday. I don’t think he has even set foot in Arizona. I don’t know what’s going on with these letters but will be calling the school for sure to follow up.

  28. Please let me know how they got his info. I’m wondering if the college bought lists for advertising/recruiting.

  29. I haven’t gone since the 80’s. My son who has been going since 2007, still enrolled, hasn’t received any such letter. The letter looked suspicious to me.

  30. My girlfriend and 90 yr old grandmother also got these letters and niether have ever registered at any college let alone one affiliated with MCC. Hmmmm

  31. Received my letter today. This is my second time (first time was from a financial institution) where my information was stolen/misplaced/released/etc.

    I am so sick and tired of institutions not having the proper security in place to prevent these type of things. At least my first time, we received more of an explanation than from MCC. The last time I was given a full-year of the same type of services.

    Granted nothing happened to my credit fortunately, I feel like there needs to be some type of repercussions for these institutions besides the costs of providing these services to those whose information was taken.

    My last experience with the financial institutions provided me with a “good” type of service which was highly reviewed online. I am extremely disappointing with the service MCC provided to me. This website is poorly built and leaves the user confused and wanting more information than what is provided online, without having to call a freaking toll free number. I searched for reviews about this service and found Nothing which causes suspicion.

    I would not be surprised if the Chancellor or someone affiliated with MCC has a “relationship” with this id theft parent company, or they chose this company because of the low cost (which the appearance of the site would imply). I do not want to talk to a licensed investigator, I want to go online and check all statuses of my credit report and be able to view details.

    The 8 month time delay between the incident and my letter is appalling. My letter says October 18th, they determined my information has been accessed, while this article says April.

  32. Please help!!

    I got this letter as well today in the mail! I am not sure if I should trust this letter or not. I attended college in Northern AZ at a private university for aeronautics. This was in Yavapai County and NOT in Maricopa County. Something is really strange here. Please help!

  33. I am just wondering if anyone has looked at or registered on idintegrity.com? I got this letter about 7 days ago and I am just wondering if I should look into the idintegrity website or if I would be better off talking to my bank to have my accounts monitored. Any idea?

  34. Same letter as the rest. Have recent credit card fraud, but I believe it is not related to this subject. MY GUESS is that the breach occurred a couple of years ago. Had ID theft from Arizona, using my identity, but as a female with slight change to the name. I would never have known this, but OPM contacted me due to my security clearance to go to the a Social Security office and fill out a reporting form.
    Notice how the Chancellor was recently appointed to the Homeland Security advisory council…..my guess is this is a payoff for all the illegal alien voters he brought to the Dems in 2012.

  35. I just got a letter today. NEVER attended MCC… NEVER requested info from them. So HOW would it be possible that they would have my social security #? I would NEVER call the # on the letter. Going to research further. Ready to bring the letter to the police…. and send it to the credit bureaus.

  36. I receive this letter today in the mail

  37. Same thing happened to me. September my debit card was compromised. The letter I rec’d today says that MCC had info compromised in October. I NEVER attended or had anything to do w/them. Some grad program info from Univ of Phoenix. AND MCC doesn’t even seem to be based out of Ga. Out of Az., but not Georgia.

  38. not true phone no. on letter

  39. I too received the letter in the mail. Rather concerned of any security breach etc. and cannot even remotely figure out how I recieved a letter. Never attended Maricopa or its colleges that I recall unless I took a certification course or something. I dont know but one thing is certain, in no way am I going to use the provided idintergrity site or give any info to them. Something smells fishy with all of this. Beware!!

  40. Yes, I’m waiting for a formal statement from MCCC that I can post to this blog, but it seems a lot of people may have take online certification or re-certification courses for their work (fields like EMT and other fields) and never realized that MCCC was involved in their course.

    IDintegrity is legit. Kroll is a huge well-known firm. I will be speaking with them tomorrow about the IDintegrity web site as it just doesn’t inspire confidence in the average consumer who doesn’t know about Kroll.

  41. 2.3 million letters notifying people their id may have been stolen? Just the postage alone is astronomical. What idiot would leave millions of Arizona citizens vulnerable with their sensitive data laying around for hackers to steal? What is this place the ACA website? This is a crime by the community college. They will be getting sued up the ying yang over this one. Stupid twits.

    What I want to know is what they are doing to purge the records of students once they stop taking classes.

  42. This reminds me of the NSA trolling for information to give to the IRS so they can attack political enemies that don’t agree with the liberal progressive idealism .

  43. I decided to join LifeLock instead of that this letter says. I received two letters at home one for me and one for another person I have never heard of before. It is $25 a month for LifeLock and I know they are a legit service.

  44. Ok people…..lets get organize. we need someone that lives near the school and can go and talk to them and let us know whats going on. and if we are going to do lawsuit get a hold of a lawyer that knows how to deal with this. if u dont live in that state, u probably did a certification online which is done by MCCC and thats how they got your info.

  45. Danny I never gave them my current information and haven’t been in AZ in about 11 years.

    This whole thing is atrocious and I think a lawyer is needed. The article I read said the FBI caught wind they were selling our information, these school workers. Our identities being stolen and sold like that is unacceptable in my opinion.

  46. In this news article in explains how you personal info was corrupted even if you were never in AZ, and explains the letter we all received is legit and not a sell you letter but to break your personal info. You can also run a search engine on identity theft. Chase has a idenitity theft kit filled with info to protect yourself from id theft and account take fraud. I never use my MMN on my debit and credit cards anymore. Change it to a Password.
    http://www.azcentral.com/news/arizona/articles/20131206id-breach-may-cost-mcccd-million.html

  47. How about a class-action lawsuit?

    Like many of you, I have never attended the school and have not lived in AZ since 1999. Yet, here they are maintaining my confidential information on their unsecure servers. Interesting they know my current out-of-state address. The response from their call center is pure nonsense and they tell me that they intend to maintain my data forever due to AZ Statue ARS41151, despite my explicit request to purge it.

  48. We knew the site got hacked a few years ago, because the FBI contacted us before. We hired a security company to come in and help fix it. We begged upper management to let us wipe the server and start over and they refused. The contract to pay for those services are discoverable through AZ public records law. Someone just needs to be a journalist and look for it.

  49. When I saw that the firm was asking the confidential information, I checked with a colleague who did register with Idintegrity. He reassured me but when I logged on and filled in the form, the thing didn’t go through – their site was having problems. Now I’m wondering if they captured all that info on me and are not really there at all!

Sorry, the comment form is closed at this time.