Jun 162014

The 2013 breach at Maricopa County Community College District (MCCCD)  in Arizona affected approximately 2.5 million faculty, staff, vendors, and students, making it the largest breach involving student information ever reported by a U.S. institution of higher education. A complaint by this privacy advocate alleges violations of the Safeguards Rule. 

Having researched and reported on breaches for about a decade now, some breaches strike me as really appalling, and the MCCCD breach is one of those. Limited available public records suggest that MCCCD knew they had a problem in January, 2011, but failed to remedy identified vulnerabilities completely – despite repeated warnings by their own personnel and state auditors. By failing to address known risks, they left the door open to the second and massive data breach in 2013 that included personal and non-public financial information. As one of the largest higher education systems in the country, MCCCD was leaving 1/4 million students’ personal and financial information at risk each year, not to mention the personal and financial information of faculty, staff, and vendors. The risk was not just confined to current students, either, as when the breach was disclosed, students who had not attended MCCCD in decades found themselves now having to worry about becoming victims of identity theft.

Because I have complained for years on PogoWasRight.org that student data privacy and security are not being adequately protected and the government has done little to enforce either, and because I think the MCCCD breach is the poster child for poor data security in higher education and poor breach response,  I have filed a formal complaint with the FTC to ask them to investigate MCCCD’s data security.

While the FTC does not have authority to enforce Section 5 of the FTC Act over non-profits (which most universities and colleges are), the FTC does have authority to enforce a law known as the Safeguards Rule.  That rule requires covered organizations to have a comprehensive information security program, and provides specific standards.  The FTC has enforced the Safeguards Rule in nine cases, but none of them have been in the education sector. Because MCCCD’s own internal documents state that they are obligated to comply with the Safeguards Rule,  I filed the complaint under the Safeguards Rule.

If the FTC investigates – and I hope they do – they will find what I think are a slew of unreasonable data security practices that violate the standards and were likely to cause customers and consumers significant harm. Penalties for non-compliance with the Rule include civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines. 

What You Can Do to Help Yourselves

If you were affected by the MCCCD breach, you can contact the FTC to file your own complaint about the breach. Tell them that you want them to investigate MCCCD under the Safeguards Rule or whatever other authority they may have, for unreasonable security practices and the harm they have caused or were likely to cause you. The FTC’s online complaint assistant form does not seem well-suited to this purpose, so you may want to call them. You can also tell them you support the complaint filed by “Dissent” of DataBreaches.net.

Previous Coverage of the MCCCD Breach on DataBreaches.net:


May 172014
President Truman with his "The buck stops here" plaque on his desk.

(SOURCE: Wikipedia)

President Truman had a sign on his desk that said, “The buck stops here.” We could use more of that accountability when it comes to data breaches in the education sector.

Back in 2006, when I first began blogging about data breaches on PogoWasRight.org, I covered a series of breaches at Ohio University. One of the things that made the Ohio U. situation newsworthy was that the university publicly fired two IT Managers.  The firings made sense to some, who suggested that having heads roll might be a smart public relations move to show that the university took the breach seriously.

But shouldn’t the heads that roll be the heads that were responsible? The two Ohio University employees were subsequently found to have had no responsibility for the breaches. Stunningly, even though a grievance committee recommended reinstatement and an apology, the provost decided she  would not rescind the firing because they “”failed in their responsibility for designing and maintaining a secure network.”

Firing employees for not providing a secure environment after you’ve ignored their recommendations that might have prevented the breaches seemed somewhat unfair to me.

And that’s what seems to be happening again in the aftermath of the Maricopa County Community College District (MCCCD) breach that I’ve been covering on this blog since last year.

When MCCCD finally – seven months after they were informed of the breach  – issued a statement and started notifying those affected, their notification to state attorneys general blamed IT employees who allegedly failed to live up to MCCCD standards and obstructed the investigation into the 2011 breach, allegedly thereby leading to the 2013 breach.

In the wake of the massive data breach, a number of employees resigned or were forced out. Based on information I’ve continued to review in my investigation,  I suspect there probably were grounds to hold a few of them somewhat responsible. But what is concerning to me is that MCCCD initiated disciplinary proceedings against two employees – Miguel Corzo and Earl Monsour – who wouldn’t be forced out because they had done nothing wrong and refused to become scapegoats for MCCCD’s mismanagement of its IT department and data security.

It is Ohio University all over again.

Based on MCCCD’s organizational chart for its ITS department in 2011, neither Corzo nor Monsour had any responsibility for the web servers that were  compromised in 2011. After the breach, they were asked to help and they tried repeatedly to get MCCCD to deploy appropriate security programs and controls that would have prevented the 2013 breach. Indeed, their efforts to address MCCCD’s inadequate security programs and policies began years before the first breach.

– In 2009, Corzo authored a strategic report to the District that made numerous recommendations that would be considered industry standard. His recommendations were allegedly dismissed by Vice Chancellor Kahkedjian.

– After the January, 2011 breach, Corzo, Monsour, and others, including Martin Gang (who left MCCCD in 2011),  quickly identified the problems leading to the 2011 breach and what needed to be done to remediate it. They repeatedly tried to get MCCCD to implement the recommendations of external consultants and ITS personnel.

– When MCCCD didn’t address the security issues in a timely fashion, Corzo and Monsour filed an oversight report. MCCCD allegedly did not respond to it. Nor did MCCCD appear to implement recommendations in a state audit that had noted deficiencies and concerns – recommendations that MCCCD said they agreed with and would implement.

– Not giving up in their efforts to address MCCCD’s serious data security deficiencies, Corzo and Monsour escalated the matter by filing a  grievance report in 2012. MCCCD allegedly did not respond to the grievance report, either.  Neither has their Governing Board, to whom the grievance report was recently escalated.

Not surprisingly, then, in  2013, two years after it had suffered a similar breach that it had not fully remediated, MCCCD suffered a  massive data breach that affected 2.5 million.

And MCCCD pointed the finger at two employees who had no responsibility for the first breach and had tried repeatedly and tirelessly to get MCCCD to implement effective policies and programs? Employees who weren’t even there in 2013?

Enough, already!

Inspection of the approximately 1,000 incidents in DataLossDB.org involving higher education institutions in the U.S. reveals that the MCCCD breach in 2013 was the largest data security breach ever reported by a U.S. institution of higher education.

Has MCCCD and its governing board accepted responsibility or said, “The buck stops here?”

No, they have not. They have seemingly tried to deflect blame to two employees who tried to protect customer and consumer information. And while MCCCD has tried to claim that a consultant’s report following the 2011 breach was never given to MCCCD at the “highest levels,” their claim has been loudly refuted by at least three employees who affirm that the report was given to the Vice-Chancellor of ITS at the time.

Yes, it would probably be appropriate to have some heads roll in this case, but if heads roll, it should start at the top – with the Chancellor and Vice-Chancellor – where there seems to have been serious failures in management. They need to be held accountable for failing to respond to repeated warnings and for failure to ensure that millions of people’s personal and financial information was adequately secured.

Frustratingly, while MCCCD is already facing several potential class-action lawsuits and is spending millions on security upgrades, credit monitoring services, lawyers, and consultants, MCCCD has so far escaped any federal regulators because no federal agency investigates or enforces data security in the education sector.

That needs to change. It’s high time the federal government took breaches in the education sector as seriously as it takes breaches in the business sector, the financial, and the healthcare sector.

Universities collect and store a tremendous amount of personal, financial, and health information.  This year, parents and privacy advocates have created waves throughout the country about the importance of protecting student data in the k-12 sector. Many of the same issues apply to secondary education.

If the FTC can put businesses under a 20-year monitoring plan, and if the FTC can go after Wyndham for repeated breaches and inadequate security, it should have the authority to hold universities accountable for data security, too.

Ask not where the buck stops, MCCCD. It stops with thee.

And this blogger is going to do what she can  to ensure that Congress and federal regulators understand that they can no longer sit on the sidelines and just hope that student data are adequately secured.

Just like Congress called Target officials in to answer questions about their massive breach, there should be a Congressional hearing about MCCCD’s data breaches. And if Congress really wants to understand how 2.5 million students, vendors, and employees wound up at lifetime risk of identity theft, it should have the FBI, MCCCD’s chancellor, vice-chancellor, Corzo and Monsour testify.  And in a second panel, they should have someone who can talk about breaches in the education sector, a representative from the U.S. Education Department, and a representative from the FTC to talk about what they currently can and cannot do with respect to enforcing privacy and data security in the education sector.

Will any member of Congress do this? If you agree it should be done, feel free to forward this commentary to your Senator and Representative.


Mar 292014

I usually don’t find news about law firms’ contracts with respect to data breach-related services particularly noteworthy, but in the context of Maricopa County Community College District (MCCCD)’s data breach response, there’s been a  newsworthy aspect.

Last year, MCCCD hired the law firm of Wilson Elser to handle their breach response.

As I noted on March 20, a law firm has sued MCCCD to compel production of public records related to the case after Wilson Elser failed to provide any requested documents, using personnel matters and concern for not providing a “road map” for hackers as their main explanations for not providing records. Had Wilson Elser advised MCCCD that they could and should withhold the requested records, or had their client instructed them to withhold the records against Wilson Elser’s advice? We’ll likely never know, but the failure to respond to public records requests has now generated additional litigation that may mushroom if media outlets also sue MCCCD for public records.

Additionally, employees involved in a personnel dispute over their roles in the breach informed DataBreaches.net that not only had MCCCD failed to provide them with the public records they need to defend themselves from disciplinary action, but MCCCD had gone so far as to demand they return records that had previously been provided to the employees under public records law. Did Wilson Elser advise MCCCD to do this or is this MCCCD’s decision despite advice from counsel? Again, we’ll likely never know, although statements made by one governing board member hint that Wilson Elser may have advised its client on the personnel/human resources aspect of the breach handling and MCCCD didn’t like their advice.

[Some of the involved MCCCD employees have created a timeline of the breach that covers the first breach in 2011 and what they allege are their repeated attempts to get MCCCD to respond to the unaddressed and unremediated security concerns.  If documents support the timeline and allegations of Miguel Corzo and Earl Monsour, it’s a very damning situation for MCCCD, who has tried to hang responsibility for the 2013 breach affecting 2.4 million on the employees. The law firm of Gallagher & Kennedy, who represents some of the breach victims in a potential class action lawsuit have now sought the court’s permission for an expedited deposition of Earl Monsour, who reportedly is gravely ill.]

In any event, when the MCCCD governing board met this week, one of the items are on their agenda was the extension of Wilson Elser’s contract, although most of the discussion occurred in executive (non-public) session.  The Arizona Republic reports that the MCCCD governing board voted 3-2 to extend Chicago-based Wilson Elser’s contract, but  with an amendment that a Phoenix law firm must be brought in to assist with public records matters and litigation. The two board members who voted against the contract extension reportedly did so because they felt the lawyers had been “condescending” and “overstepping their bounds.”

So how did Wilson Elser offend its client – or at least two members of the governing board?  The Arizona Republic reports:

Board members Debra Pearson and Randolph Lumm voted against extending Wilson Elser’s contract on Tuesday night after questioning the way the firm has dealt with the district.

“I have confidence that we can find a Phoenix firm that will not be condescending and talking down to us and doing things that are inappropriate and out of order,” Pearson said.

She proposed terminating the Wilson Elser contract and hiring a local firm exclusively to handle the security matters. That motion failed.

The district’s staff attorney, Lee Combs, said that Wilson Elser has projects under way and that dropping the firm would be “extremely inadvisable and wasteful.”

Lumm said he felt as though Wilson Elser’s lawyers were telling the district what to do.

“My concern is that I don’t want a law firm telling us how to run IT, telling us how to run HR,” he said. “I think they’ve overstepped their bounds. I think it’s inappropriate for out-of-state lawyers to come in here and say, ‘You need to structure your IT this way.’

“We asked them for security advice only, and when they start reshaping our IT, that’s out of order.”

If MCCCD’s handling of IT and/or human resources was so problematic as to put them at risk of more litigation (the EEOC has reportedly contacted MCCCD after employees filed a discrimination and retaliation complaint), I would hope that their law firm would advise them on the human resources aspect of their breach response. Perhaps the problem is not with the law firm in this case, but with the client?

MCCCD is a publicly funded institution that has seemingly seriously dropped the ball on data security. It has not been forthcoming with all stakeholders about what happened in 2011 and after that. Instead of criticizing their law firm, governing board members should be taking a long hard look at management at MCCCD to see whether the employees’ allegations of non-responsiveness to the 2011 breach caused the current problems.  And they should immediately correct course and start releasing public records.

I think it’s reasonable to predict that the litigation against MCCCD will likely continue to mount and other plaintiffs – breach victims, employees involved in the breach, and media outlets – will likely join the fray. Stay tuned, as DataBreaches.net will continue to follow this case.

Update: ABC obtained the grievance report filed in 2012 by some of the ITS employees that pointed out the high risks and noted that recommendations made in 2011 had not been implemented. One of the employees involved informs DataBreaches.net that they never received a formal response to the grievance filed almost one and half years ago.  Documents such as the grievance report really challenge MCCCD’s attempts to blame employees for not making them aware of the situation or risks, and the employees who are sharing their story with the media in response to MCCCD’s attempts to blame them or to cover up failures at the administrative level deserve whistleblower protection.

Mar 272014

Another lawsuit has been filed against Maricopa County Community College District. From the press release by the law firm:

Gallagher & Kennedy has served the Maricopa County Community College District with another notice of class-action claims on behalf of approximately 2.5 million students, parents and others whose private, confidential information was compromised in a massive data breach. The information included names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, demographic information, and as-yet-unspecified “enrollment, academic and financial aid information.” In April 2013, the FBI notified the District that this information was available for sale on the internet. Since then, the District has publicly acknowledged that the data breach “was due to substandard performance of [the District’s] IT workers,” and that the District had previously been notified of security vulnerabilities which went unaddressed. Moreover, the District’s counsel has disclosed that before beginning to notify those affected by the breach, the District took “remedial” action which prevented consultants from determining the extent to which the data had been accessed without authorization.

Unlike other potential claimants, the claimant in this notice, who has been adjunct faculty at MCCCD for a number of years, recently became a victim of ID theft. The complaint has been redacted by the law firm prior to uploading to their site:

Although [redacted] is very sensitive to the potential for identity theft, and takes great care to protect the secrecy of her PII, a thief with access to her PII recently opened a BillMeLater credit account in her name, using, among other things, her full name, address, date of birth and Social Security Number – information clearly obtained by the identity thief from the District’s 2013 Breach. [redacted] was extremely fortunate in that she already had a PayPal account when the thief attempted to steal her identity. Because BiliMeLater is affiliated with PayPal and PayPal had [redacted] email address on file with her existing account. The discrepancy between that email address and the one provided by the thief led BillMeLater to make contact with [redacted] directly, at which point she learned of the fraud. Nonetheless [redacted] experience (and that of many other class members) confirms that the PII available on the internet was in fact misappropriated, has in fact has been misused, and will in fact be misused in the future. And notwithstanding [redacted] efforts to respond to the situation (for example, filing reports with the police and FTC and putting fraud alerts on her credit), there is nothing she can do about the fact that her PII was disclosed to one or more criminals whose identity remains unknown, and that confidential information will remain in the public domain permanently.

Mar 202014

You may not be reading much in the news recently about the breach involving Maricopa County Community College District (MCCCD), but there’s a lot going on.  Unfortunately, MCCCD has reportedly not been particularly forthcoming with records that might shed light on what really happened back in 2011 when MCCCD was informed by the FBI that some personal information from one of their servers had been found for sale in the underground markets. Did MCCCD implement the necessary protections to prevent another breach of the same type, or did they fail to implement adequate security protections, enabling their massive 2013 breach? [Previous coverage of the MCCCD breach on this blog can be found here, here, here, and here].

Although MCCCD appears to be blaming an  employee or two for the 2013 breach that affected 2.48 million students, former and current employees tell a significantly different story.  There is now a website about the breach where they share some of their concerns.

In addition to the above, DataBreaches.net has heard from another former employee in MCCCD’s IT department who tells a frightening story of lax security with respect to credit card information and Social Security numbers. When asked about the 2011 breach, the employee stated:

MCCD did not have an incident response plan at that time and I believe that the information never left a select group of IT Administrators.

While that seems to provide partial support for any claims that high-level administrators may not have been fully informed about the 2011 breach, it also suggests that their own failure to have an incident response plan contributed to the situation. The same employee also stated she made numerous attempts to get administration to address security concerns – all to no avail.

In December and January, the law firm of Gallagher & Kennedy filed notices of claim on behalf of two clients whose data were involved in the breach.

This week, they filed suit to compel MCCCD to produce its public records relating to the two data breaches. According to their press release of today, MCCCD did not provide a single document.  In their complaint, they allege that MCCCD did not respond to requests for records concerning the 2011 incident, and that MCCCD’s law firm cited “pending employment actions” (and employees’ privacy and due process rights), and not wanting to give hackers a “roadmap” as their justification for not providing responsive documents in a timely fashion.  MCCCD’s external counsel’s responses to G&K’s public records request are Exhibits I and K in the request for an Order to Show Cause.

DataBreaches.net notes that not only has MCCCD seemingly not produced even a single document in response to the G&K’s public records request, but they have reportedly actively attempted to recall records they had previously released to others.

The 2.4 million students affected by a breach that may well have resulted from MCCCD’s failure to respond appropriately to the 2011 incident deserve real answers and accountability.

The taxpayers whose hard-earned dollars support MCCCD deserve real answers and accountability.

Those of us concerned about data security and privacy protections need transparency so that we can all learn what went wrong, in the hopes others will not repeat any errors made by MCCCD.

I do not doubt MCCCD’s lawyers’ claims that MCCCD has 743 terabytes of information, but if ever a breach involving a public entity demanded transparency and accountability, this is it.  DataBreaches.net urges the court to order MCCCD to start producing responsive documents promptly.

Update: The Arizona Republic subsequently reported on the issue of MCCCD’s failure to produce responsive documents, as they are also seeking public records in the case.  DataBreaches.net is not as concerned about obtaining MCCCD’s contract with external counsel, although that’s certainly an issue of public concern and right to know, but this blogger would definitely like to see the 2011 report and recommendations following the first breach, and correspondence concerning whether the recommendations were implemented and might have prevented the massive 2013 breach.