ID breach may cost MCCCD $14 million

(Here’s what happens when you think it can’t happen to you…!  Remember, there are three kinds of networks: 1. One’s that have been hacked and don’t know it, 2. One’s that have been hacked and know it, 3. One’s that will be hacked…)

A massive data breach at Maricopa Community Colleges was a result of staff errors in the information technology department, and the estimated cost of fixing the problem and aiding victims could rise as high as $14 million.

An official with the Maricopa County Community College District said an outside consultant had determined that the April data breach, in which personal information of current and former students and employees may have been exposed, was due to substandard performance of IT workers.

“When Maricopa investigated the system, we found vulnerabilities that resulted from employee conduct that did not meet Maricopa’s standards and expectations,” college district spokesman Tom Gariepy said.

Gariepy said this week that no arrests have been made and that there is no evidence any data were seen or stolen. He would not identify the workers responsible or say how many IT employees are facing disciplinary action, adding that the outcome will eventually be made public.

The breach was revealed on April 29, when the FBI told district officials it had found a website advertising personal information from the community colleges for sale.

The district hired an independent consultant to review the situation and announced last week that it was notifying 2.4 million people that their personal data, including Social Security numbers and banking details, may have been seen.

The district governing board has approved spending up to $9.1 million for a consultancy firm to conduct a computer forensic analysis, inform people whose personal data may have been revealed, staff a call center and provide a year’s credit monitoring for potential victims.

And, on Tuesday, the board is scheduled to vote on approving an additional $600,000, taking the total close to $10 million authorized toward rectifying the problem. That is on top of more than $4 million authorized earlier this year to secure the system itself.

The district, which has an annual budget of $1.7 billion, has not addressed how to pay for the costs. Gariepy said he did not know whether they could be covered by insurance.

The district did not disclose the problem publicly until late last month. Gariepy said that although the district was notified in April about the problem, the extent was unknown for several months.

“People think we knew on April 29 that all of these millions of files were exposed, and we didn’t know that,” he said. “We knew hardly anything except that we had a problem, and we had to find out what it was.”

The district’s website was down for several days and was restored in stages.

Gariepy said it took months for the consultant and the district to assess the situation, find out which files were affected and find correct addresses for the millions who were affected.

They include current employees and students, as well as those going back at least several years, including people who took non-credit courses and high-school students who were dual-enrolled in community- college classes.

Gariepy said letters are being mailed in stages to those potentially affected. All the letters should be sent by mid-December.

On Friday, he said the district has already received hundreds of phone calls from people, most of whom asked whether the letters they have received about the issue were authentic.

“If you got a letter from us, it’s not a scam, and it’s not a sales letter from someone who wants to sell you something,” he said.

Work on the technology system, which had been described as outdated, continues.

In February, as the governing board was deliberating whether to ask for its second tuition and property-tax increase in three years, the members heard a report on problems with the system.

John Webster, interim vice chancellor for IT services, told the board that his department was badly understaffed and that employees needed additional training. He said some software was so old that the vendor no longer supported it.

The tuition and property tax increases were approved in the spring, with upgraded technology part of the plan for the money.

For more information about IT and CYBERSECURITY training, contact eFOUR Learning today:

Originally published: By Mary Beth Faller The Republic | Fri Dec 6, 2013 10:26 PM


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s