NOTE: Do NOT contact me about this settlement or expect me to help you file a claim or anything. I am just a breach blogger/citizen journalist and advocate, but I am not your advocate. Do NOT post your details in comments, either. Follow the directions on the post card you received or go to http://www.mcccdclassaction.kroll.com and follow the directions there.
From the does-anyone-but-me-give-a-damn dept.:
Remember the MCCCD data breach in 2013 that I have not only ranted about, but also filed an FTC complaint about under the Safeguards Rule? To date, it is the largest data breach ever in the U.S. education sector. [For earlier coverage, search this site for MCCCD].
Now Will Stone of on KJZZ reports that there’s a proposed settlement to a consolidated class action lawsuit over the breach. The proposed settlement would give class members an additional year of credit monitoring and restoration services, would give named plaintiffs up to $1500, and would provide a promise to try to comply with a June, 2014 state audit that found infosecurity deficiencies (still). Attorneys for plaintiffs would get up to $2.4 million if the court approves their request.
MCCCD had already offered free credit monitoring to the 2.4 million students, vendors, and employees affected, as SSN and other identity information was stored on the servers and may have been accessed. One of the curious aspects of the entire incident was that although the FBI notified MCCCD on April 29, 2013 that 14 databases were up for sale on a website, MCCCD never disclosed exactly what was in those 14 databases – instead talking about what was stored on the servers and what “may have been” accessed. Worse, their response to the breach was bungled so badly that no one could eventually figure out exactly what was accessed. At the very least, though, they should have been able to identify what was in those 14 databases that the FBI reported were offered for sale.
Over the following year – as MCCCD tried to protect its chancellor and management from accusations that they had ignored repeated audits and advice of their IT security professionals, and as they busily threw employees under the bus – three potential class-action lawsuits were filed, each alleging concrete injury.
So with concrete injury alleged, why would the lawsuits settle for only another year of credit monitoring and restoration services?
In response to an inquiry from DataBreaches.net, MCCCD spokesperson Tom Gariepy sent a copy of an email the Chancellor has sent to all employees about the settlement.
Data security issues that came to my attention in 2013 as a result of an incident led several plaintiffs to file lawsuits against MCCCD. The plaintiffs claim that they were harmed because the District took insufficient action to protect their personal identifying information from possible exposure to unauthorized access. In the lawsuits, there was no evidence that any personal identifying information was actually accessed by any unauthorized party. MCCCD denied the legal claims and immediately moved to dismiss them.
However, to ease any ongoing concern and resolve the lawsuit without further legal expense, the Governing Board has approved an amicable settlement negotiated by counsel for the parties. The settlement offers members of the class an additional year of Kroll’s One Bureau Credit Monitoring, Consultation, and Restoration Services.
Members of the class will soon receive a postcard explaining the options available, and referring them to a website (http://www.mcccdclassaction.kroll.com) for more information. The site contains an example of the postcard. It also contains contact information for legal counsel appointed to represent the class, who will respond to your questions about the terms of the settlement and your options.
It is likely that you are a member of the class: (1) if you were a Maricopa employee, student, or contractor on or before November 27, 2013; or (2) if you received a letter notifying you of the security issues and offering you free credit counseling, monitoring, and restoration services. I urge you to look for the card in the mail and when you receive it, to take advantage of the services being offered.
MCCCD takes security of the data it holds very seriously and since the incident, has invested heavily to upgrade its systems and software, secure its data, and hire and train additional staff to provide continued data security.
A copy of the settlement agreement can be found here. The approved proposed settlement order can be found here (pdf). It’s not clear from the Chancellor’s e-mail whether MCCCD’s insurance will cover the costs of the added credit monitoring, attorneys’ fees, plaintiffs’ awards, and costs of repairing and improving infosecurity. The breach had already cost MCCCD approximately $20 million by early last year.
Of note, the settlement papers reveal that there was actually a prosecution for hacking in the wake of the breach. David Jules Axelrod (age, location, and date of birth unknown to DataBreaches.net) was prosecuted in federal court in Phoenix in 2014 on a misdemeanor charge under CFAA. Axelrod pleaded guilty, and in his statement, he said:
On or about April 28, 2013, I, David Jules Axelrod, used a software program and discovered that I could access a portion of a computer server at Maricopa County Community College District (MCCCD). […]
The information I obtained consisted of MCCCD database files. None of the information I accessed from these database files contained any Social Security numbers, birth dates, motor vehicle information, driving record information, addresses, telephone numbers, place(s) of employment, e-mail addresses, or financial information. Also, there was no information regarding employees, vendors, or other third parties in the files I accessed. I did not retain any copies, electronic or otherwise, of the information I accessed. I had no intent to and did not profit from accessing MCCCD’s information. I did not attempt to sell the information or otherwise publicly disseminate it. I am not aware of anyone else maintaining copies of the MCCCD information that I obtained.
In December, 2014, Axelrod was sentenced to one year of probation on the misdemeanor charge of Obtaining Information by Computer in violation of 18:1030(a)(2)(C) and ordered to pay a $25.00 special assessment.
Axelrod’s statement was included in the settlement papers, and may have been used to suggest that the breach wasn’t that bad and/or that plaintiffs would have an uphill battle linking any fraud to this breach. Attorneys for the plaintiffs in the consolidated case have not responded to inquiries from DataBreaches.net as of the time of this posting. But Axelrod’s statement, if true, is in conflict with the FBI’s finding that 14 databases were being offered for sale in April, 2013.
Under the circumstances, and assuming the truth of Axelrod’s plea, it appears that there may be another hacker or other hackers involved. Attempts by DataBreaches.net to find out if there has been any other prosecution for the MCCCD hack have been unsuccessful so far, but an MCCCD spokesperson said that to their knowledge, there have been no other prosecutions. They also confirmed that Axelrod was not a student at MCCCD or affiliated with them in any way at the time of the hack.
DataBreaches.net also asked MCCCD whether either the U.S. Education Department or the Federal Trade Commission had ever contacted MCCCD about the breach or investigated it.
The answer to both was “no.”
And that, folks, is an epic #FAIL on both federal agencies’ part. Universities and colleges contain a wealth of personal, financial, sensitive, and medical information on students, and no federal agency looks at or enforces data security? Even when 2.4 million were notified of a breach? Would MCCCD be just promising to try to comply with recommendations if the FTC came down on them – or would they actually comply and comply more promptly? I guess we won’t know.