The Maricopa County Community Colleges District data breach investigation they didn’t want us to see
In January 2011, DataBreaches.net reported that login credentials for the Maricopa County Community Colleges District (MCCCD) were up for sale on the black market. That month, the FBI also contacted Maricopa to alert them to the breach. In response to the incident, MCCCD brought in Stach & Liu (now Bishop Fox) to investigate and make recommendations.
Following MCCCD’s second – and massive – data breach in 2013, this blogger filed a formal complaint with the FTC (pdf) asking them to investigate MCCCD’s data security and to take action to protect the financial and personal information of students, vendors, and staff. Yesterday, EPIC filed a supplemental complaint (pdf), also calling on the FTC to investigate and take action against MCCCD to protect personal information.
Today, in the first of what is expected to be a series of reports, DataBreaches.net is disclosing what Stach & Liu found in their preliminary investigation of the 2011 breach. In February 2011, they reported that the Application level, they found:
- Comprehensively insecure code with systemic critical flaws like file inclusion and injection
- Hundreds of attacks per month as far back as analysis was performed for file inclusion and SQL injection; and
- No secure coding practices identified whatsoever
For the compromised web server, they found:
- All LAMP systems are running out-of-date versions
- 5 LAMP servers were backdoored with web shells
- Up to 29 virtual hosts were stored on a single server
- Blank passwords SSH keys were used to connect between systems; and
- Shared filesystems were used bewteen public web servers
Their findings from investigation at the database level revealed:
- 29% of passwords were re-used
- 21% of passwords were cracked in seconds
- 2 databases were poisoned with credentials to FTP
- Up to 140 databases were stored on a single server; and
- Databases dating back to 2000 used cleartext or unsalted passwords with FILE privileges
Note: the databases referred to above were those residing on the compromised webservers and other virtual servers. These servers were managed by the server team and MCCCD’s Marketing Department – not the employees MCCCD subsequently fired and tried to blame for everything.
The Stach & Liu report pointed out the consequences of what they had found:
- MCCCD had already experienced a data breach and loss
- MCCCD systems had been included in a botnet
- Backdoors were installed on servers
- Servers had been abused for Pharma marketing (spam); and
- MCCCD could experience brand and reputation damage
Stach & Liu made a number of recommendations for next steps in terms of assessment and remediation. As subsequent posts will illustrate, documents provided to DataBreaches.net – most of which have not been shared with the public under open records requests – indicate that MCCCD never fully implemented the recommendations of its consultants, its own employees, or state auditors who, year after year, noted data security control concerns.