Maricopa Community Colleges notifies 2.5M after data security breach (update 6)

Tim Gallen and Mike Sunnucks report:

The Maricopa County Community College District is notifying nearly 2.5 million students, former students, vendors and employees because their personal information may have been exposed in a security breach.

The Tempe-based college district announced today that it is contacting 2.49 million students, employees and suppliers that their information may have been exposed without authorization.

Sensitive information such as names, birth dates, Social Security numbers and bank account information was exposed, according to the district. MCCCD operates 10 community colleges and also has dual enrollment programs with local high schools.

However, MCCCD officials are not aware of any evidence of any misuses of personal information. Spokesman Tom Gariepy said students or others who worry about identity theft or other fraud can contact a credit services company the district has hired.

“While we are not aware of misuse of anyone’s personal information, we are providing resources to assist all of the people whose information was in these systems, including credit monitoring and other identity safeguards, managed by a nationally known identity protection firm,” said MCCCD Chancellor Rufus Glasper in a statement. “We are examining every aspect of our IT operations, and the changes underway are making us stronger system-wide.”

District officials learned of IT security issues in April this year and began investigating.

Read more on Phoenix Business Journal. In related coverage, KPHO reports that the college district learned of the breach from federal law enforcement on April 29. They also report that names, dates of birth, Social Security numbers and bank account information – but not credit card information or health records – was exposed. Neither news source is clear about the nature of the breach.

UPDATE: I see commenters questioning as to whether it’s a legitimate service. Note the reference to Kroll on the site. Kroll is a well-known company for cybersecurity issues. Its parent company is Altegrity. You can check them both out. That said, I agree that idintegrity’s web site is lame. They should have introduced themselves and their credentials before asking people to input their personal information.

UPDATE 2 (Dec. 16): I just spoke with MCCC about comments that people do not know why they are receiving letters or how MCCC got their information. IDintegrity should be able to give you that information, but MCCC will be sending me a statement explaining it that I will post on this site when I receive it (hopefully later today or tomorrow). Stay tuned…

UPDATE 3 (Dec. 17): I also spoke with Kroll/IDintegrity today and told them about concerns with the site. I urged them, too, to respond. So far, I have not received any statement from either MCCCD or IDintegrity that I can share with you all. I feel your frustration. And I’ve written another blog post based on your experiences, “There are lessons to be learned from the Maricopa County Community Colleges breach.  Learn them, dammit.”

UPDATE 4 (Dec. 19): I have received no statements from MCCCD or IDintegrity/Kroll to post here. How foolish of them not to respond when people are obviously confused, distrustful, and upset. They’ve provided a case study in how NOT to respond to a breach.

UPDATE 5 (Dec. 20): A self-described “ethical hacker” says all your personal information may still be at risk.

UPDATE 6 (Feb. 19): And now the litigation begins. See this post.

About the author: Dissent

98 comments to “Maricopa Community Colleges notifies 2.5M after data security breach (update 6)”

You can leave a reply or Trackback this post.
  1. M. Johnson - December 7, 2013

    I may be someone who is part of the identity theft, and I can say I am absolutely disappointed in how this was handled, the delay of information provided, the lack of details, and the “Well, so far we don’t think anyone’s information was compromised, but here is a free year of identity monitoring, just in case” bandage they offered. My family member received a letter, today, and she had not attended school there since the early nineties. I am curious to know why her information was not put off-line in an archive, given her long status of inactivity at the college. I attended last in 2006, and I paid out-of-pocket, which means my bank information was exposed. The disappointing casual handling of this incident does not satisfy my pensive fear of finding out someone committed a crime using my identity and I will be detained, or the potential use of my information years into the future. A large amount of incredibly personally identifying information was exposed and placed on the market for sale, and it is a matter of time before it comes into play for criminals.

    • Dissent - December 8, 2013

      Elsewhere on this blog, I have posted links to two follow-ups on this breach that you may want to read. You’re asking some excellent questions, but of course, that’s little consolation now that your details may be in the wild or have been sold to criminals.

      Historically, no one has ever really done anything about data breaches in the education sector.

      [Remainder of reply deleted after I realized FTC doesn’t have authority over non-profits. Ugh.]

      • Rj - December 15, 2013

        I think there has been a number of laws broken, FERPA, to protect student information, banking laws because they exposed account info. They say no health information but what about students in health fields or people that go to college clinics? They also mentioned vendors, I hope one of the vendors wasn’t their health or disability vendors. I think the costs are going to go a lot higher than they have budgeted for. Especially when the news reports how lax the security controls have been. Of course with all the spin and smoke and mirrors, the people that should be held accountable will be long gone. Breaches happen but not at this scale

    • Tessie - December 9, 2013

      My husband and I have not attended since the 70’s, that right…1970’s and are almost ready to retire and got the same letters. Why did it take from April 29 to notify us. Between April through December our information could have been used to the tune of hundreds of thousands and we just now hear about it. Wow. Thanks for letting me know 8 months after the fact. And…how do they know that nobody’s info has been used. All they have to do is change the address and make a few minimum payments and by the time they stop making those minimum payments, the trail is cold and the victims are left to deal with it.

      • man - December 20, 2013

        The FBi find a website were they were trying to sell all the info 😀

    • anonymous - December 19, 2013

      Dear Mr school Chancellor, Thank you for sending me the notification that you released my personnal date to criminals! I also appriciate the one year protection by a questionable security company. I am sure the individuals with our info have no idea that it will expire in one year. I would also appriciate you sending me the scheduled dates for the public executions. I would very much like to attend.

  2. gary - December 9, 2013

    WOW! I just got a letter today!…I went back and forth wondering if this was real…I thought…what a perfect way to scam the info out of people by sending them a letter telling them to call this company for free monitoring services…. Um I am headed to the college to talk to them directly…I wish they would have set up a number for Maricopa Colleges to handle my call but instead the letter only gives the number to the monitoring service! They can’t even give a number to their offices to answer my questions? What a runaround!…

    • Anonymous - December 9, 2013

      I just got a letter today too. Talk about your lack of motivation on telling people.

    • Anonymous - December 16, 2013

      not true phone no. on letter

      • Anonymous - December 22, 2013

        Not to MCC, only Kroll.

  3. Katie - December 9, 2013

    I just got a letter today as well. I too thought it was some sort of a scam. Guess I should go talk to the morons about this. Oh, and way to go on the speedy alert they sent so late!

  4. Jack - December 9, 2013

    So they haven’t heard of anyone being affected? I’m currently dealing with ACE Cash Express because someone took out a loan online in my name, with my SSN and address, and ACE is coming to me to collect. I’m in the midst of filing a police report, and I get this letter from MCC. Hmmmmm. Coincidence?

  5. Jan - December 9, 2013

    I got a letter today as well, and I haven’t attended an MCC college or lived in Arizona for TWENTY YEARS. How did MCC find my address? And do I really want to cough up my social security and phone numbers to the presumed credit monitoring service. This whole thing stinks to high heaven. I can’t believe there isn’t more internet buzz about this!

    • anonymous - December 19, 2013

      What if Idintigrity is a start up security company with a friend working at MCC! What a way to start a new business with 2.5 m new customers, most of which won’t drop off after the first year, knowing the the info is still out there. I am going with lifelock and sending MCC the bill. If they choose not to pay I will see them in small claims.

    • MaryAnn - December 26, 2013

      I am in the exact same situation! I fail to understand why personal information this old was not archived and instead left online where it could be compromised. Maricopa Community Colleges have acted irresponsibly with people’s personal information. The action they are taking now is a day late and a dollar short. I am all in favor of a class action law suit.

  6. Ed - December 10, 2013

    i too received this letter from MCC yesterday. Haven’t attended MCC since the 70’s and am appalled the school still had ‘my’ records available for stealing some 40-odd years later. Seems like these so-called ‘educators’ are too stupid to be operating in todays hi-tech world via a collegiate environment.

  7. Redradioflyer - December 10, 2013

    My letter said “On October 18th, 2013, we determined that your information… may have been accessed without authorization”. This article says the breach was discovered in April. Did it take 6 months just to to determine who was impacted or is this breach #2 this year???

  8. Mike D. - December 10, 2013

    Has anybody contacted as of yet? my web browser would not open it. When I made it it was not a scure website.

    • Anonymous - December 22, 2013

      I just tried it access idintegrity and my browser wouldn’t open it either.

  9. Chris K - December 10, 2013

    Just looked it up. Yes it made the news. I to have not been there since the 90’s. Crazy!

  10. Mary N - December 12, 2013

    I have contacted Strange…I keep getting emails telling me changes have been made to my profile and for me to contact them at 1-800-806-3917 to verify my identity? They also have claimed they ordered my Credit Report. Why is this? to get me to give them more information about my identity? This whole thing sounds weird. What took 8 months to notify me of the Breech? Has anyone else had this kind of problem?

  11. Linda F - December 12, 2013

    I never even went to MCC?????!!! I went to a private school, Bryman. Are they connected or does MCC own Bryman?
    This is ………… weird!

    • Dissent - December 12, 2013

      I don’t see Bryman listed as being part of MCCC. Maybe you should call MCC or the number given in your letter and ask how they got your information since you never went to MCC.

      Then let us know, please.

    • I'm wifey - December 19, 2013

      Inever went to mcc but i did go to bryman

  12. anna - December 12, 2013

    I got the letter today. I never attended this school. Is it a scam?

    • Dissent - December 12, 2013

      Call them and ask them how they have your information and ask them what information they have.

      Then let us know.

  13. Gerald - December 13, 2013

    I, too, received a letter in the mail regarding this issue and it claims I have to submit LOADS of personal info to Does anyone have ANY idea whether or not is legit or is it simply some scam-artist trying to piggyback off the news to collect all of this personal data by dropping a mailer?

    Let me know if anyone has any experience with


  14. Rick - December 13, 2013

    I received a letter today. I never attended their school. Never worked for them or had any contact with them what-so-ever! My bank called me concerning charges they viewed as fraud last month and I had to cancel my debit cards and have the charges reversed. Something is definitely wrong here!!!!

    • totalscammers - December 16, 2013

      Same thing happened to me. September my debit card was compromised. The letter I rec’d today says that MCC had info compromised in October. I NEVER attended or had anything to do w/them. Some grad program info from Univ of Phoenix. AND MCC doesn’t even seem to be based out of Ga. Out of Az., but not Georgia.

  15. Jb - December 13, 2013

    This whole thing is making my stomach churn.
    For God’s sake, I’m only 20 years old trying to get my life situated and I get this letter today.
    Tried going to the site idintegrity they provided, and it was apparently a broken link. I don’t want to give my identity up to these people if its not legit. Has anyone been in contact with idintegrity??? If so, what is your opinion?

    • Lm - December 17, 2013

      When I saw that the firm was asking the confidential information, I checked with a colleague who did register with Idintegrity. He reassured me but when I logged on and filled in the form, the thing didn’t go through – their site was having problems. Now I’m wondering if they captured all that info on me and are not really there at all!

      • T - December 20, 2013

        Same thing just happened to me. I’m at a different university now, studying for my Accounting Information System final tomorrow, and reviewing all the different types of fraud made me paranoid enough to take MCC up on their offer to provide me with a year of free credit monitoring. I got all the way to the page submitting my acceptance to the terms and conditions, but the site wouldn’t stop loading until it finally errored out. I did receive an email, so hopefully that means everything is okay. But I can’t help but wonder the same thing… whether this is legit or not. That is what lead me to searching and finding this website. This is a big deal. I don’t know Kroll, or idintegrity, and I’m hoping a didn’t’ just open myself up to a bigger mess by attempting to sign up for their service.

        • David - December 23, 2013

          I called the MCC’s hotline and they assured me the site was legit. I keyed in my SS# and they came back with accurate questions about which loans I had take out, who had lived with me in the past, etc. Like others, when I got to the end of the registration I got the message below. I called the #, it’s fhte hotline again, they apologized for the website and checked if I was actually registered. Despite saying they didn’t keep my information they had, I was registered. I’ve sent an email to MCC and the AZ Attorney General’s fraud office.

          We’re sorry but…

          We are unable to complete your subscription due to a system problem. As a result of the error, we have not retained any of your data. Please return later to subscribe or contact Customer Service at 855-330-6366

  16. sam - December 13, 2013

    Havn’t tried the wed site yet, may not. wondering, has anyone talked direct to the college?? the news may be triggering off the flap from the letters?? anyone signed up to idintegrity yet?

  17. pedro - December 13, 2013

    Received the same letter as everyone else today. But I’ve never attended this school. Hello im in New York and never left this state.

  18. mike - December 14, 2013

    Was a student back in the ’80s and received the letter today. I have no idea how they found me on the east coast, but I guess it’s a relatively small world. It’s interesting that the web site they have in the letter ( doesn’t work at the moment. Perhaps their web site uses the obamacare site developers.

    • anonymous - December 19, 2013

      More likely the NSA…..

  19. Hillary - December 14, 2013

    I got this letter in today’s mail, NEVER went to anything what so ever connected with MCC schools, attended U of A in the 70’s, period. What I don’t understand is how they even found me or would possibly have had ANY data on me in their system. I already do pretty heavy credit monitoring and have fraud alerts on all my files so no one can open any credit in my name without me being personally contacted to verify the info. I know this works because when I have tried to open a new account I can never get “instant approval” even though I have a very high FICO score and call always qualify.

    So folks, a word to the wise, you don’t need to give these people any info, just contact the 3 major credit bureaus, let them know that you are concerned that you COULD be a victim of identity theft due to exposure of your info from MCC, tell them to put a fraud flag on your file. It will slow down you getting credit by a couple of days and will result in a phone call from the the security people at the institution you are applying for credit at, but you won’t find anyone able to get credit in your name either.

    The alerts are good for 90 days and will be auto renewed by the various bureaus, this is all FREE, don’t let them talk you into paying for any monitoring if you don’t want it, this will stop the bad guys. You need to contact Equifax, Experian and Trans Union and you can find their info here:

    I hope that helps!

    • anonymous - December 19, 2013

      thank you very much for the tip! I am guessing that the credit bureaus will be a little hard to reach by phone for a while with 40 million distraught Target customer running around out there!! I’ll probably go the certified mail route.

  20. Rj - December 15, 2013

    What is amazing is that this is blamed on employee misconduct and yet no one is questioning the people that controlled the finances and made the decisions. This has been a train wreck waiting to happen for years. Software was outdated because so many custom modification were done and not documented, that it was impossible to update before the software lost support . Similar to losing support for Windows XP. If Maricopa does have breach insurance, I doubt it will cover a breach caused by ignoring security best practices. It’s not like the District hasn’t been warned about the risk, they simply put their heads in the sand and hoped it would go away. I doubt, even in 7 months, all the data has been identified and no one has indicated when or how long the breach has been going on. The District only found out about after the FBI notified them, it could have been going on for years!

  21. Bill Cotter - December 15, 2013

    My son received one of the letters on Friday. I don’t think he has even set foot in Arizona. I don’t know what’s going on with these letters but will be calling the school for sure to follow up.

    • Dissent - December 15, 2013

      Please let me know how they got his info. I’m wondering if the college bought lists for advertising/recruiting.

  22. Tropicalbob - December 15, 2013

    I haven’t gone since the 80’s. My son who has been going since 2007, still enrolled, hasn’t received any such letter. The letter looked suspicious to me.

  23. Chuck - December 16, 2013

    My girlfriend and 90 yr old grandmother also got these letters and niether have ever registered at any college let alone one affiliated with MCC. Hmmmm

  24. Christopher Marzoq - December 16, 2013

    Received my letter today. This is my second time (first time was from a financial institution) where my information was stolen/misplaced/released/etc.

    I am so sick and tired of institutions not having the proper security in place to prevent these type of things. At least my first time, we received more of an explanation than from MCC. The last time I was given a full-year of the same type of services.

    Granted nothing happened to my credit fortunately, I feel like there needs to be some type of repercussions for these institutions besides the costs of providing these services to those whose information was taken.

    My last experience with the financial institutions provided me with a “good” type of service which was highly reviewed online. I am extremely disappointing with the service MCC provided to me. This website is poorly built and leaves the user confused and wanting more information than what is provided online, without having to call a freaking toll free number. I searched for reviews about this service and found Nothing which causes suspicion.

    I would not be surprised if the Chancellor or someone affiliated with MCC has a “relationship” with this id theft parent company, or they chose this company because of the low cost (which the appearance of the site would imply). I do not want to talk to a licensed investigator, I want to go online and check all statuses of my credit report and be able to view details.

    The 8 month time delay between the incident and my letter is appalling. My letter says October 18th, they determined my information has been accessed, while this article says April.

  25. Roger - December 16, 2013

    Please help!!

    I got this letter as well today in the mail! I am not sure if I should trust this letter or not. I attended college in Northern AZ at a private university for aeronautics. This was in Yavapai County and NOT in Maricopa County. Something is really strange here. Please help!

    • Anonymous - December 16, 2013

      I receive this letter today in the mail

  26. Norma - December 16, 2013

    I am just wondering if anyone has looked at or registered on I got this letter about 7 days ago and I am just wondering if I should look into the idintegrity website or if I would be better off talking to my bank to have my accounts monitored. Any idea?

  27. Mark - December 16, 2013

    Same letter as the rest. Have recent credit card fraud, but I believe it is not related to this subject. MY GUESS is that the breach occurred a couple of years ago. Had ID theft from Arizona, using my identity, but as a female with slight change to the name. I would never have known this, but OPM contacted me due to my security clearance to go to the a Social Security office and fill out a reporting form.
    Notice how the Chancellor was recently appointed to the Homeland Security advisory council… guess is this is a payoff for all the illegal alien voters he brought to the Dems in 2012.

  28. Jonathan - December 16, 2013

    I too received the letter in the mail. Rather concerned of any security breach etc. and cannot even remotely figure out how I recieved a letter. Never attended Maricopa or its colleges that I recall unless I took a certification course or something. I dont know but one thing is certain, in no way am I going to use the provided idintergrity site or give any info to them. Something smells fishy with all of this. Beware!!

    • Dissent - December 16, 2013

      Yes, I’m waiting for a formal statement from MCCC that I can post to this blog, but it seems a lot of people may have take online certification or re-certification courses for their work (fields like EMT and other fields) and never realized that MCCC was involved in their course.

      IDintegrity is legit. Kroll is a huge well-known firm. I will be speaking with them tomorrow about the IDintegrity web site as it just doesn’t inspire confidence in the average consumer who doesn’t know about Kroll.

  29. joe - December 16, 2013

    2.3 million letters notifying people their id may have been stolen? Just the postage alone is astronomical. What idiot would leave millions of Arizona citizens vulnerable with their sensitive data laying around for hackers to steal? What is this place the ACA website? This is a crime by the community college. They will be getting sued up the ying yang over this one. Stupid twits.

    What I want to know is what they are doing to purge the records of students once they stop taking classes.

    • joe - December 16, 2013

      This reminds me of the NSA trolling for information to give to the IRS so they can attack political enemies that don’t agree with the liberal progressive idealism .

      • anonymous - December 19, 2013

        PEOPLE: Of the government, by the government, for the government!! Welcome to the future! Throw ALL the bums out!

  30. kim - December 17, 2013

    I decided to join LifeLock instead of that this letter says. I received two letters at home one for me and one for another person I have never heard of before. It is $25 a month for LifeLock and I know they are a legit service.

  31. Danny - December 17, 2013

    Ok people…..lets get organize. we need someone that lives near the school and can go and talk to them and let us know whats going on. and if we are going to do lawsuit get a hold of a lawyer that knows how to deal with this. if u dont live in that state, u probably did a certification online which is done by MCCC and thats how they got your info.

    • robvettor - December 17, 2013

      How about a class-action lawsuit?

      Like many of you, I have never attended the school and have not lived in AZ since 1999. Yet, here they are maintaining my confidential information on their unsecure servers. Interesting they know my current out-of-state address. The response from their call center is pure nonsense and they tell me that they intend to maintain my data forever due to AZ Statue ARS41151, despite my explicit request to purge it.

      • Anonymous - December 17, 2013

        Yeah the same here don’t live in AZ and have never attended one of their school’s. I think A Lawsuit is in order.

      • Mel U - December 17, 2013

        I definitely think there is some sort of data/personal information share going on between colleges. I was accepted to ASU, moved to Phoenix for 8 weeks and decided it wasn’t for me and moved away — never attended a single class at asu, let alone anything to do with Maricopa CC. Info sharing had to have happened with other schools too, which I am NOT ok with! And that needs to be investigated further.

      • anonymous - December 19, 2013

        I think Lifelock for life would be a more fitting penalty for them!

  32. Cara - December 17, 2013

    Danny I never gave them my current information and haven’t been in AZ in about 11 years.

    This whole thing is atrocious and I think a lawyer is needed. The article I read said the FBI caught wind they were selling our information, these school workers. Our identities being stolen and sold like that is unacceptable in my opinion.

  33. Danny B - December 17, 2013

    In this news article in explains how you personal info was corrupted even if you were never in AZ, and explains the letter we all received is legit and not a sell you letter but to break your personal info. You can also run a search engine on identity theft. Chase has a idenitity theft kit filled with info to protect yourself from id theft and account take fraud. I never use my MMN on my debit and credit cards anymore. Change it to a Password.

  34. Anonymous - December 17, 2013

    We knew the site got hacked a few years ago, because the FBI contacted us before. We hired a security company to come in and help fix it. We begged upper management to let us wipe the server and start over and they refused. The contract to pay for those services are discoverable through AZ public records law. Someone just needs to be a journalist and look for it.

    • Dissent - December 17, 2013

      MCCDCD claims that in January 2011, the FBI contacted MCCCD and informed IT that one database was up for sale on the Internet. They claim they then conducted an internal investigation and then brought in Stach & Lui to investigate vulnerabilities, etc.. S&L issued a report that went to IT, but according to MCCCD, that report was never seen by executive leadership. They claim that in May 2013, while investigating the newer FBI report that there were now 14 databases up for sale on the Internet, they learned that IT employee(s) had withheld crucial information from Stach & Lui in 2011, and it was the withholding of that information/obstruction that was ultimately responsible for the 2013 episode.

      In other words, they’re hanging this on the bad behavior of one employee, it seems.

      If you know otherwise, I’d love to talk to you. I don’t have time/resources to do FOI requests for every breach and am busy investigating another breach, but if you’ve got something usable/reportable, I’m all ears.

      • ASUStudent1993 - December 19, 2013

        Does anyone think this has to do with the Maricopa County Sheriff’s Former IT Director, Robert Rampy??? He just received a sealed indictment for hacking 14 Maricopa County databases.

        I went to ASU through 1993…never went to MCC.

  35. Jennifer H - December 17, 2013

    My two daughters and myself all received the same letter in the past week. None of us have attended MCC but I think we all may have looked into classes there. So not sure what information they may have had about us. The link to the website doesn’t work, that’s how I ended up here. Sounds like a scam to me!

  36. Anonymous - December 17, 2013

    I have never taken Classes In Arizona Beyond 8th Grade and haven’t lived in AZ Since 1992. How Do They Have MY Personal Information?

  37. Anonymous - December 17, 2013

    There needs to be a class action lawsuit filed… I am so upset. I applied at MCC, but decided not to go. This is what I get?

  38. Mark - December 17, 2013

    Yup. I got the same letter today. My brother as well. We both currently live in the same house and both went to MCCC.

  39. Tim B - December 17, 2013

    I received the letter about a week ago and I’m glad I found this site. I’m not too worried though, since my letter indicates no credit card info was taken.

    Now that we’ve been told the NSA is capturing not just all email, but recording cell phone locations too, I think we have bigger things to worry about.

    Hopefully, our Justice Dept. will gather some courage and start to deal with data breaches and theft, unauthorized sharing of personal info, and unethical violations of privacy.

    I plan to check back here for updates to this goofy situation.

  40. Rick D - December 18, 2013

    I received the same letter, though I still think something seems fishy about it. I attended SCC in the early 90’s.
    I’ve since moved to 3 different states and never contacted MCC to have them update my records… So, how’d they find me?
    Granted, this may be one reason it took so long for them to send out letters to those of us at risk.

    If this really impacts 2.3 Million people why isn’t there more reporting being done on the subject from reputable news sources (granted, what’s reputable?).
    I searched Google and didn’t find any of the big syndicates running this story. I only found sites I’ve never heard of like this one, azcentral,, esecurityplanet… etc. running with the story. That’s concerning to me. (No offense to this particular site – it may be reputable, I’ve just never heard of it).

    I would love to hear that this is just a scam to get us to sign up with some credit protection company. Fingers crossed…

    I think a call to the 3 National Credit Bureaus to add a ‘fraud alert’ is the best option.
    Equifax, Experian, TransUnion

    Good luck…

    • Dissent - December 18, 2013

      Most members of the public don’t know about my site until they go looking for coverage on a particular breach because Google doesn’t index this as a news site because I publish under a pseudonym. My site is very well-known, however, among those who research or are concerned about data breaches, and many mainstream reporters use my site for information on breaches. IOW, yes, this is a reputable site. 🙂

      As to why the MSM haven’t picked it up more, that’s a great question, but I suspect that breaches like this one, while tremendously impactful for those affected, are a drop in the bucket when it comes to breaches. In this past year alone, breaches have exposed over 700 million records, so MSM tends to focus on breaches that each impact tens of millions of people.

      Sad, isn’t it?

      • Dakota - December 19, 2013

        I received the letter also and have ever attended MCC. I understand security breaches, but how did they get any information about me and why are they storing it??? I’ve never been affiliated with any community college in AZ. So what’s up?

  41. Chuck - December 18, 2013

    I received the letter a few weeks ago and have been thinking about doing something… I was a wine maker/grape grower instructor for several years at MCC. Haven’t lived in AZ for the past 6 years. The letter look fishy to me too. As does the IDIntegrity website – very low cost/bad impression design.

  42. Anonymous - December 18, 2013

    Hubby and I also got one. I too would like to know how they got our out of state address. Not signing up with the Idintegrity site. Too shady. Will put a credit freeze on our accounts with the big three instead.

  43. Angela - December 18, 2013

    Got the same letter….sounds fishy. Definitely going to contact credit bureaus-don’t trust this company letter from them. Keep posting updates because I will be following them!

  44. Janet - December 18, 2013

    Got one of the letters. Called the toll free number. I did take a few classes to prep me for a state licensing exam back in the early 90s but didn’t know they were part of MCC. I was told they found me and everyone else by hiring a professional investigation firm so it looks like no one can hide anymore. I was going to sign up at this ID Integrity but after reading all the above, I will stick with the 3 credit reporting agencies. The bummer is that all the expense to cover their rear will probably increase my property taxes. Please include me in any future actions and I will check in at this site too. Thanks for doing this.

  45. W.T. - December 18, 2013

    I received my letter yesterday and googled it to see if it was a scam. I live in MN and have never even applied to MCC so I have no idea how they even got my information.

    I want action!

  46. Max - December 18, 2013

    I too have received this letter and did some additional checking. I called the Maricopa Community Colleges (there are about 10 different county colleges they cover) at 480-731-8000. Their address is: 2411 W. 14th Street, Tempe, AZ 85281. The phone line directs you to a call center they set up to handle calls regarding this issue. I spoke to them and found out that MANY people are demanding that their information be removed from MCC’s computer systems.

    Of course they are claiming that AZ law prohibits them from destroying “public records”. The call center person was not well informed, so I am supposed to get a call back from someone who is better informed and I will be discussing with them whether my personal info is a public record.

    I am appalled at how MCC waited 8 months to notify people and then failed to put any information in the letters on how to contact them.

    • robvettor - December 19, 2013

      Left messages with 3 different people about purging my information. That was 3 days ago.

      How about a class action law suit?

  47. Etian - December 18, 2013

    This came addressed to my mother at the PO Box that I set up for the exclusive purpose of filing her bankruptcy. I did this because she is vulnerable to scams, and expected there would be many after the bankruptcy, as the mailing address is a matter of public record. I’m pretty sure this is 100% scam, unconnected to Maricopa Community Colleges. It would behoove Rufus Glasper and MCC to nip it in the bud, or confirm it on their own website.

  48. Max - December 18, 2013

    I just called the toll free number in the letter and it connects you to the Kroll company. I spoke to them and found out through some pointed questioning that the security breach was an internal breach by one of MCCC’s employees. Can’t imagine why they did not put that info in their letter instead of the nonsense about how they were, “…applying increased security controls”. Also, in order to get the Kroll company credit monitoring service, you have to give them all of your personal information and hope that their employees are honest.

    • Dissent - December 18, 2013

      All credit monitoring firms will need your personal information, including Social Security number, to monitor your credit reports. How else can they determine which person to monitor and what the information should be? Have some of these firms experienced insider breaches where a dishonest employee misused info? Yep, but the alternative is you spend the rest of your life placing a fraud alert on your credit reports every 90 days or so. And if something happens (like ID theft) and you didn’t sign up for the free credit restoration services, then you’re left dealing with them at your time, expense, and frustration.

  49. Harmonator - December 18, 2013

    My letter dated 12/11/13. I have a feeling that the letter mailings were staggered to avoid a type crashing of inadequate systems at Heads up to anyone using the service: it is monitoring only!! It will not show you any history. do not expect to see your credit score or your credit report after signing up. Kind of useless if you ask me.. since damage could have been done at any time that MCCCD had their heads up their a$$ over the last several months that it took between knowing there was a potential breach, and telling the effected parties. Disgraceful. The chancellor is a CPA! Any CPA worth his salt will know about proper implementation of system/process controls. He should resign.

  50. Russ - December 19, 2013

    I received the letter dated Dec. 9 regarding MCCC security incident. MCCC offer security monitoring through Who are they? Are they Kroll Advisory Solutions at
    or Who certifies their safe guarding of information? Why would I just enter my social security out onto another web site offering free monitoring with absolutely no recourse or insurance for safeguarding my data. We should be offered an insurance policy against financial loss.

  51. Justin - December 19, 2013

    I received the letter, confirmed on MCCCC that a breech did occur, signed up for their credit offering. The latter doesnt actually do anything but email you an alert if something happens. There is no access to current credit data as one might expect.

    I called the number today to start investigations; they put me on hold; and then told me everyone is busy and they would call me back. They never did!

    I have an old bank that I used when enrolled at MCCCC that is calling for my current address, and a collection agency calling to collect on an alleged promissory note…all of this within the time frames??? Something is wrong.

  52. Dakota - December 19, 2013

    Been a hellooooo of a day… I shopped a target too.

  53. Lin - December 20, 2013

    I too was enrolled in early 90’s. When you log into idintegrity with your “membership number” the first thing they as for is your SS#. You would think that they would have it if it was in you records at the college?? My letter is dated Dec 11, 2013.
    The whole thing stinks!!

    • Dissent - December 20, 2013

      The college cannot give IDintegrity your SSN because they don’t know if you’ll want to sign up for the service. You’d be furious at them (rightfully so!) if they did give it out without your request or permission.

  54. mcc student - December 20, 2013

    Everything you need to know about the incident is posted on the New Hampshire DOJ’s website. Here is a link to a government letter describing the incident, the timeline, and the remediation steps taken. The end of it contains a copy of the IDIntegrity / Kroll letter everyone is receiving. Its not a scam. The IDintegrity website has been down for a while though, which is sad.

    • Dissent - December 20, 2013

      Thank you. I had linked to that letter and cited it in my blog post “Lessons to be learned” about the MCC breach.

  55. anonymous - December 20, 2013

    Think of all the poor students graduating from this school district and having to put this school on all there future job applications (especially those with IT degrees)!!!

    “Question: So where did you go to school?” Answer: “er, well…do you remember that school that was hacked? Well, that one.” You are hosed for life.

  56. AreYouKiddingMe? - December 23, 2013

    I also got one of these letters. I have a lot to lose if my identity is stolen as I have considerable assets in banks and investments. Not much I can do other than wait for the possible knock at the door from somebody telling me I owe them a few hundred thousand.

    That said, I do not trust this idintegrity web site. It looks like scam site and offers nothing to inspire confidence in me. In addition there is no contact phone number to talk to a human. I really hope there is a class action suit. MCC needs to learn a painful lesson. I am totally disgusted.

    • Dissent - December 23, 2013

      There’s plenty you can do to protect yourself, and you should.

  57. Shaking Head - December 23, 2013

    I found this site after looking at the letter I got recently; I was going to go thru with the idintegrity thing, but something just didn’t seem right about it – so I did some research, and here I am. I ended up putting a 90 day fraud alert on my credit file via Equifax (which also auto-updates Experian and TransUnion). I’ll probably pull my credit file from one of the three in January – I’ve had a recent (a couple of months ago) issue where my bank (BofA – they may be evil in some ways, but they do a helluva job monitoring their systems) had to issue me a new debit card/number because of possible fraud (but I never noticed anything on my statements or such – I watch those weekly or more often). Given how long this breach has been going, I doubt that anything I do now could much change things. My greatest worry is somebody using my name/info for employment purposes, or some other scamming (or illegal) reason, only for it to come back on me later.

  58. L - December 27, 2013

    My concern with IDintegrity/Kroll is that when proceeding forward on their site, they have weird restrictions on username and password. I can’t have special characters, and it must be between 6-15 characters? Password and username length shouldn’t matter if they are properly hashed, but this implies that they’re using an old database…which will eventually get hacked.

    It’s the circle of life, or something.

Comments are closed.