Maricopa Community Colleges notifies 2.5M after data security breach (update 6)

Tim Gallen and Mike Sunnucks report:

The Maricopa County Community College District is notifying nearly 2.5 million students, former students, vendors and employees because their personal information may have been exposed in a security breach.

The Tempe-based college district announced today that it is contacting 2.49 million students, employees and suppliers that their information may have been exposed without authorization.

Sensitive information such as names, birth dates, Social Security numbers and bank account information was exposed, according to the district. MCCCD operates 10 community colleges and also has dual enrollment programs with local high schools.

However, MCCCD officials are not aware of any evidence of any misuses of personal information. Spokesman Tom Gariepy said students or others who worry about identity theft or other fraud can contact a credit services company the district has hired.

“While we are not aware of misuse of anyone’s personal information, we are providing resources to assist all of the people whose information was in these systems, including credit monitoring and other identity safeguards, managed by a nationally known identity protection firm,” said MCCCD Chancellor Rufus Glasper in a statement. “We are examining every aspect of our IT operations, and the changes underway are making us stronger system-wide.”

District officials learned of IT security issues in April this year and began investigating.

Read more on Phoenix Business Journal. In related coverage, KPHO reports that the college district learned of the breach from federal law enforcement on April 29. They also report that names, dates of birth, Social Security numbers and bank account information – but not credit card information or health records – was exposed. Neither news source is clear about the nature of the breach.

UPDATE: I see commenters questioning as to whether it’s a legitimate service. Note the reference to Kroll on the site. Kroll is a well-known company for cybersecurity issues. Its parent company is Altegrity. You can check them both out. That said, I agree that idintegrity’s web site is lame. They should have introduced themselves and their credentials before asking people to input their personal information.

UPDATE 2 (Dec. 16): I just spoke with MCCC about comments that people do not know why they are receiving letters or how MCCC got their information. IDintegrity should be able to give you that information, but MCCC will be sending me a statement explaining it that I will post on this site when I receive it (hopefully later today or tomorrow). Stay tuned…

UPDATE 3 (Dec. 17): I also spoke with Kroll/IDintegrity today and told them about concerns with the site. I urged them, too, to respond. So far, I have not received any statement from either MCCCD or IDintegrity that I can share with you all. I feel your frustration. And I’ve written another blog post based on your experiences, “There are lessons to be learned from the Maricopa County Community Colleges breach.  Learn them, dammit.”

UPDATE 4 (Dec. 19): I have received no statements from MCCCD or IDintegrity/Kroll to post here. How foolish of them not to respond when people are obviously confused, distrustful, and upset. They’ve provided a case study in how NOT to respond to a breach.

UPDATE 5 (Dec. 20): A self-described “ethical hacker” says all your personal information may still be at risk.

UPDATE 6 (Feb. 19): And now the litigation begins. See this post.

About the author: Dissent