Maricopa Security Breach

The rest of the story

By

MCCCD mismanagement leads to $4 million fine

MCCCD mismanagement of national service funds leads to a Justice Department investigation that ultimately lands MCCCD with a $4 million fine. The whistleblower in this case was not punished, however it took government intervention for the MCCCD Administration to be exposed.  Even then, they continue to use taxpayer dollars to pay a $4 million fine without accepting any responsibility.

In a similar case of whistleblowing, several FTC complaints have been filed against MCCCD regarding the MCCCD security breach.  This was the largest breach in Education in the country and another case of mismanagement and scapegoating of employees. This breach impacted over 2 million people. In this case, the whistleblower was punished and the administration continues to deny any responsibility, a costly pattern of behavior.

The most recent FTC complaint was filed by EPIC, a non-profit organization based out of Washington, DC.  It alleges violation of the Safeguard Rules, another apparent case of mismanagement at MCCCD that could result in more hefty fines and public embarrasment. The security breach has cost Maricopa taxpayers upwards of $20 million and the court cases are in their infancy. A class action lawsuit of over $6 billion dollars representing all those impacted by the breach is now in Federal court. Other lawsuits will follow.
Read More

By

MCCCD kept Oracle security reports from staff

The truth no one ever heard until now!
Oracle Security Report Not Shared

It looks like people with inside information into the Security Breach at MCCCD are now starting to disclose new information to the media that was never shared before. This recent post by Databreaches.net points to MCCCD hiding information (Oracle Corp. security assessment) from its own employees and the public for plausible deniability in litigation. Critical vendor reports were never shared with the staff in 2008, 2011 and 2013.

http://www.databreaches.net/did-mcccd-leadership-shut-their-eyes-to-a-database-security-assessment-for-plausible-deniability-in-litigation/

Oracle security assessment - mcccd

Millions are being spent defending against the largest security breach in the history of higher education. All of it could have been avoided had the MCCCD Administration shared with its own staff technical reports from Oracle they knew about. The identity of several million people has been stolen when according to the report from Databreaches.net, the organization withheld critical information that could have prevented it.  Furthermore, this information from Oracle Corp. may still be an internal secret to most of the employees at MCCCD who are trying to secure the system after the 2013 breach.

By

MCCCD Governing Board Elections 2014 – Maricopa Breach

New Directions for Maricopa Community College District

Written by Johanna Haver and Jean McGrath – Opinion Editorial

It is time for the Maricopa County Community College District to pursue a new direction – one of fiscal responsibility and transparency – both sadly lacking under the leadership of MCCCD Chancellor Rufus Glasper and the current MCCCD governing board members.  

Over the past ten years, the college district has increased tuition 63% and property taxes to .128+%, which amounts to $128 per $100,000 valuation of a home.  The budget for 2014-15 is in excess of $1.8 billion – considerably more than the yearly budget for the entire City of Phoenix which is at $1.2 billion.  Moreover, Glasper plans to ask the MCCCD Governing Board to increase tuition again in January to pay for a budget that will likely exceed $2 billion.
|
MCCCD Governing Board - Maricopa Security Breach

According to a 2011 investigative report by the Goldwater Institute, less than 44% of the MCCCD general fund goes toward instruction. Moreover, that amount has been reduced in recent years, despite repeated directives from the board to cut administrative costs.  In comparison, Arizona’s K-12 schools spend 56% on average for instruction.

Other MCCCD expenses include lobbyists and a political advisor who rake in more than $1 million per year.  Administrative travel has been estimated at $5.3 million. The recent information technology breach fiasco, for which Glasper has fired a whistleblower and denied any wrongdoing himself, is costing the taxpayers $18 million and climbing. 
Read More

By

MCCCD security breach update – and then there were two

EPIC urges FTC to investigate

And then there were two…

In what appears to be a renewed interest in the MCCCD security breach case, a new FTC complaint has now been filed by EPIC about this now “EPIC” college breach story that may set a precedence for compliance in educational institutions across the country. They now joined a previous FTC complaint filed by databreaches.net

EPIC FTC MCCCD

EPIC is a public interest research center located in Washington, DC. They focus on emerging privacy and civil liberties issues and is a leading advocate before the FTC. EPIC has previously testified before Congress on the need for financial institutions and companies to protect consumers against data breaches.

If these FTC complaints hold sway with the FTC, this could turn into the most significant breach in the world of education and bring about a sea of change. These complaints claim that MCCCD is to be held responsible under the ‘Safeguard Rule” of the Gramm-Leach-Bliley (GBL) Act.

Here is the latest information.

EPIC Press release
Databreaches.net coverage of this topic
EPIC seeks enforcement action over Arizona data breaches - Computerworld

 

By

Food for thought!

thought-provoking-quotes-3

By

Miguel Corzo speaks to Governing Board | Maricopa Security Breach

The Governing Board voted on 7/22/2014 to terminate Miguel Corzo. The entire video of the Board meeting is now available here.  

Follow-up articles:
- The Arizona Daily Independent ‘MCCCD denies due process, fires whistleblower’
- Az Central Maricopa Hacking Scandal: Same Old Excuses’
- Databreaches.net ‘MCCCD Breach: View from the underbus
- 3 TV – AZ Family ‘School fires IT manager who warned of breach

Board Members were operating with inaccurate and incomplete information

  • MCCCD refuses to call Mr. Corzo’s witnesses
  • MCCCD  refuses to provide Mr. Corzo with public records
  • MCCCD had been breaking OML laws since April 2013
  • Board-established employee policies violated
  • Mr. Corzo civil rights and due process violated
  • Board Members silenced
  • MCCCD  unwilling to provide any evidence to support their accusations
  • MCCCD Board Member misinformed about database ownership in Stach and Liu report. Not a single database was mentioned by name in that report.
  • Famous Stach & Liu report of 2011 was a 13 page PowerPoint pointing to network and security issues. All databases in the report resided on the compromised webservers only.
  • MCCCD ignores content of signed and dated IT Grievance that will hold up in Court.
  • Read More

By

Wrongful employee termination – MCCCD Security Breach

Attached is the response to the Chancellor’s recommendation to terminate Mr. Miguel Corzo’s employment.
The letters below were sent to the Governing Board in response to the upcoming Board meeting.

The MCCCD Administration is accusing Mr. Corzo of not doing a job that wasn’t his to do, being responsible for systems he wasn’t supposed to be responsible for, knowing about a document that was never shared with him, not communicating upwards when he repeatedly did so, and not doing enough during an incident in 2011 when he was onsite, working with his staff and others to help MCCCD address a small security breach.  In 2013 when the second and larger breach took place, Mr. Corzo was no longer assigned to any supervisory or database duties.

The ERPs at MCCCD that Mr. Corzo was responsible for were never compromised in 2011. A small database residing on the main maricopa webservers was compromised.  This database was the responsibility of the marketing department and the network and server team at MCCCD not Mr. Corzo’s team.
It is not what happened in 2011 that matters as much as what the Administration did after 2011 and before the 2013 incident. The 2011 incident was indeed minor.  Nothing really happened of any significance. The Administration simply ignored or decided to take a chance on documents provided to them that clearly stated that something had to be done to repair our systems after a minor breach.  That was a calculated risk that unfortunately had serious consequences and no one in the Administration wants to be responsible for. Mr. Corzo warned the Administration multiple times with 12 letters, including 3 emails regarding an IT grievance that clearly stated that MCCCD was at great risk of exposing personal data. Mr. Corzo followed every process in place. He gave the Chancellor more than enough time to at least meet with him to discuss his concerns.  Nothing ever happened and MCCCD is now facing their biggest legal battle in their history and the highest attrition levels in IT ever. Not only that, the Administration is using the very same employees that tried to help MCCCD as scapegoats.

Read More

By

MCCCD Security breach escalates to Federal Trade Commission (FTC)

Privacy advocate files complaint with FTC over Maricopa County Community College District data breach

A formal complaint has been filed with the FTC against MCCCD regarding the 2011 and 2013 security breach. The complaint alleges violation of the Safeguard Rules.

FTC MCCCD security breach

Security breaches like the one at  have been under scrutiny by the FTC for the company’s failure to protect the personal and financial information they collect. The FTC is yet to enforce the Safeguard Rules in an educational institution, however, the number and size of these breaches often surpass that of other industries. Institutions like MCCCD (the largest community college district in the nation) receive million of dollars in Financial Aid and collect personal and financial information for over a quarter of a million individuals every year. This is the same kind of personal and financial information that companies in the private sector collect. Negligence and failure to protect personal information has been cited multiple times in the class action lawsuits that have been recently filed against MCCCD. In a recent article titled ‘the year of living dangerously‘, the author clearly outlines what’s at stake if breaches like these go unanswered by the FTC. Organizations like Target Corp that understand the implications of inadequate security have held those at the very top responsible for massive financial loses and the consequences that follow a security breach. It goes without saying that if the FTC deems it necessary to investigate a breach of 500K individuals, such as the incident at Wyndham, an investigation of a security breach involving 2.5 million people at Maricopa Community Colleges is almost mandatory.
Read More

By

Call for FTC to intervene | MCCCD Security Breach

A new article was recently published in Databreaches.net that calls for a congressional inquiry of the MCCCD security breach. The breach at MCCCD exposed the identity of 2.5+ million people for life. It could have been avoided as clearly shown in this timeline of events.

The MCCCD administration was warned multiple times by their employees and members of the community.  They chose to ignore all warnings and scapegoat employees.  Even at this juncture, MCCCD may still be at risk as disclosed in recent Governing Board minutes. If the 2011-2013 warnings were not enough, the MCCCD Administration and Governing Board still refuse to meet with employees and address remaining security issues presented to them as recently as April 2014.

MCCCD Breach

Largest Security Breach in Education

In a recent development, the FTC has file a complaint against Wyndham Hotels for failure to protect consumer personal information. The MCCCD security breach is much larger than the Wyndham case and it goes to show that when it comes to consumer protection and privacy of information it does not matter whether an organization is private or public.

MCCCD is now dealing with a $6.25 billion class action lawsuit, the threat of potential bankruptcy, disgusted Board Members, future issues with bond ratings, employee attrition, drop in enrollment worth millions, stonewalling of the mediadamage to its reputation in the community and millions of taxpayer dollars being wasted in lawyers.  Whether education or private sector, a security breach is a security breach.  If the FTC plans to hold those in private industry accountable, they should do the same in all industries.
Read More

By

The Target and the MCCCD security breach compared

Target’s CEO has become the first boss of a major corporation to lose his job over a breach of customer data, showing how responsibility for computer security now reaches right to the top. —- Associated Press

It’s a new era for boards to take a proactive role in understanding what the risks are.  —- Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin.

The Target and MCCCD represent two contrasting approaches on how to handle a security breach. There are striking similarities on what took place and significant difference on how the companies handled the situation.
So far, the Target Board of Directors has looked at risks and taken action to protect their company. They have chosen transparency and a clean slate as they move forward.  In contrast, the MCCCD Governing Board has taken no action.  It has surrounded itself with lawyers. It is breaking several AZ laws according to current lawsuits, keeping the top of the organization intact, blaming employees and stonewalling everyone. Which company would you want to work for?  Which company has a better chance to survive?

Here is what they have in common:

  • They both had a CEO and CIO (Chancellor and Vice-Chancellor of IT) responsible for the organization
  • Read More