Data breach at Maricopa Colleges hit 2 mil people
The Maricopa County Community College District waited seven months to notify 2.4 million current and former students and employees that their academic or personal data were compromised in an April security breach.
The district’s governing board has already approved several million dollars for repairs, which are still being made, and on Tuesday agreed to spend up to $7 million more to notify everyone who is potentially affected, spokesman Tom Gariepy said
Wednesday.
Letters will be sent to current and former students, employees and vendors of the district’s 10 colleges going back at least several years to alert them that their information could have been seen, Gariepy said.
Among the vulnerable data were employees’ Social Security numbers, driver’s-license numbers and bankaccount information, he said.
Students’ academic information also may have been exposed, but not their personal information.
There is no evidence that any information actually was looked at or stolen, Gariepy said.
A company has been hired to handle questions and assist people who may have been affected.
The FBI notified the district on April 29 that it found a website advertising personal data from the district’s information-technology system for sale, Gariepy said. The district’s website was taken down that day and stayed down for several days before being restored in stages.
Gariepy said the district didn’t release information about the event at the time because it was investigating the extent of the exposure.
“There was a tremendous amount of data, and the forensics investigation around this was very complex,” he said. “They had to look at a number of different systems and servers and databases.
“It would have been nice to say something earlier, but we couldn’t give anyone information until we could say it with certainty, even if it’s not conclusive.”
At the same time, the district was repairing its information-technology system and didn’t want to publicize that it could be vulnerable, he said.
Gariepy said the district has installed more firewalls and security procedures. He also said some employees in the information-technology department face disciplinary action. He would not elaborate. “We started immediate steps to make the system secure, and it’s become progressively more secure as time has gone on,” he said.
Reaction subdued
Reaction was muted as the news began to circulate by Wednesday afternoon.
Scottsdale Community College student Lindsay Hager said she hadn’t heard about the breach but said, “It is a concern, because everything we do now is online.”
Terry Gustafson, an adjunct faculty member at SCC, said he had little information but wasn’t particularly worried about his personal data.
“There had been some scuttlebutt about it for some time, but no one was saying much. The recent announcements basically said the problem was discovered, investigated and fixed,” he said.
Lucas Bodine, president of the Associated Students of Mesa Community College, said he is confident the issue will be resolved.
“Anytime that personal information may have been exposed, it is a concern,” he said. “It seems that the district has made this a high priority in order to protect students and staff.”
The Maricopa Community Colleges Faculty Association released a statement echoing that sentiment:
“We are confident that the district will do what is necessary to adequately protect students and MCCCD employees, now and in the future.”
Gariepy said the $7 million notification process was approved by the district governing board Tuesday night.
The money will go to an outside consultant, who will send the notification letters to everyone whose information was exposed.
The letters, which should be received by mid-December, will include instructions on what to do.
The $7 million also will pay for maintenance of a call center and continuous credit monitoring for people who ask for it.
Chancellor Rufus Glasper said in a statement: “On behalf of the district, I deeply regret that this occurred and am leading a thorough response designed to prevent this from happening again.
“We are examining every aspect of our IT operations, and the changes under way are making us stronger systemwide.”
Gariepy said that the FBI has made no arrests and that the district is continuing to cooperate.
Special Agent Manuel Johnson, an FBI spokesman, confirmed Wednesday that agents assigned to the bureau’s Phoenix Division contacted officials with the college system about the matter months ago.
“We received information via official channels, and we contacted Maricopa County Community Colleges,” he said.
Johnson wasn’t in a position to discuss further details about the matter, such as who was collecting the data and to whom it was being sold, he said.
FBI agents said they are not aware of any additional Arizona victims, other than those associated with the college system.
In general, members of the public should be careful about their interactions via the Internet, Johnson said.
“If you don’t know who you’re dealing with, don’t provide personal information,” he said.