Maricopa Community Colleges notifies 2.5M after data security breach (update 6)
Tim Gallen and Mike Sunnucks report:
The Maricopa County Community College District is notifying nearly 2.5 million students, former students, vendors and employees because their personal information may have been exposed in a security breach.
The Tempe-based college district announced today that it is contacting 2.49 million students, employees and suppliers that their information may have been exposed without authorization.
Sensitive information such as names, birth dates, Social Security numbers and bank account information was exposed, according to the district. MCCCD operates 10 community colleges and also has dual enrollment programs with local high schools.
However, MCCCD officials are not aware of any evidence of any misuses of personal information. Spokesman Tom Gariepy said students or others who worry about identity theft or other fraud can contact a credit services company the district has hired.
“While we are not aware of misuse of anyone’s personal information, we are providing resources to assist all of the people whose information was in these systems, including credit monitoring and other identity safeguards, managed by a nationally known identity protection firm,” said MCCCD Chancellor Rufus Glasper in a statement. “We are examining every aspect of our IT operations, and the changes underway are making us stronger system-wide.”
District officials learned of IT security issues in April this year and began investigating.
Read more on Phoenix Business Journal. In related coverage, KPHO reports that the college district learned of the breach from federal law enforcement on April 29. They also report that names, dates of birth, Social Security numbers and bank account information – but not credit card information or health records – was exposed. Neither news source is clear about the nature of the breach.
UPDATE: I see commenters questioning idintegrity.com as to whether it’s a legitimate service. Note the reference to Kroll on the site. Kroll is a well-known company for cybersecurity issues. Its parent company is Altegrity. You can check them both out. That said, I agree that idintegrity’s web site is lame. They should have introduced themselves and their credentials before asking people to input their personal information.
UPDATE 2 (Dec. 16): I just spoke with MCCC about comments that people do not know why they are receiving letters or how MCCC got their information. IDintegrity should be able to give you that information, but MCCC will be sending me a statement explaining it that I will post on this site when I receive it (hopefully later today or tomorrow). Stay tuned…
UPDATE 3 (Dec. 17): I also spoke with Kroll/IDintegrity today and told them about concerns with the site. I urged them, too, to respond. So far, I have not received any statement from either MCCCD or IDintegrity that I can share with you all. I feel your frustration. And I’ve written another blog post based on your experiences, “There are lessons to be learned from the Maricopa County Community Colleges breach. Learn them, dammit.”
UPDATE 4 (Dec. 19): I have received no statements from MCCCD or IDintegrity/Kroll to post here. How foolish of them not to respond when people are obviously confused, distrustful, and upset. They’ve provided a case study in how NOT to respond to a breach.
UPDATE 5 (Dec. 20): A self-described “ethical hacker” says all your personal information may still be at risk.
UPDATE 6 (Feb. 19): And now the litigation begins. See this post.
M. Johnson - December 7, 2013
I may be someone who is part of the identity theft, and I can say I am absolutely disappointed in how this was handled, the delay of information provided, the lack of details, and the “Well, so far we don’t think anyone’s information was compromised, but here is a free year of identity monitoring, just in case” bandage they offered. My family member received a letter, today, and she had not attended school there since the early nineties. I am curious to know why her information was not put off-line in an archive, given her long status of inactivity at the college. I attended last in 2006, and I paid out-of-pocket, which means my bank information was exposed. The disappointing casual handling of this incident does not satisfy my pensive fear of finding out someone committed a crime using my identity and I will be detained, or the potential use of my information years into the future. A large amount of incredibly personally identifying information was exposed and placed on the market for sale, and it is a matter of time before it comes into play for criminals.