Maricopa Security Breach

The rest of the story


Kroll finds that employee did nothing wrong | MCCCD blames employee

Here is a recording from an interview where Mr. Corzo, the person who tried to warn the District before the 2013 incident happened, is being told that ‘he did nothing wrong’. MCCCD is still proceeding with efforts to blame Mr. Corzo for the 2013 incident. The MCCCD Administration refuses to take responsibility.

This interview took place in Nov 2013. In attendance were James Bowers, Interim VC of HR, Kroll lead investigator (speaking on recording), Kerry Mitchell, ex-MAT President and Mr. Corzo’s representative.

A few points to read before you play the tape:

1. The 1098-T database they mention in the tape and are trying to pin on Mr. Corzo WAS NOT one of the databases he managed at the time. This database was managed by another IT Director (who recently resigned) and the Marketing Department. Neither Mr. Corzo nor his staff had access to that database or the computer it resided on.

2. Mr. Corzo nominated someone from his team as requested by Mr. Monsour to be part of the investigation team in 2011. That person did what she was asked to do and communicated with Mr. Corzo several times a day. None of the ERP databases Mr. Corzo managed at the time (SIS, HR, CFS) were compromised.

3. Mr. Corzo worked closely with Earl Monsour (leading the 2011 investigation) and his staff to change ERP passwords, investigate and do other checks in all the ERP databases. He was actively involved as documented by numerous internal emails and logs from the event.  He did everything he could to make sure all systems he was responsible for were secure.

4. Mr. Corzo was not responsible for the security of the databases as mistakenly stated by Kroll in the audio. That was the responsibility of another IT Director. There is a subtle difference between database security (who can access what in the database – Miguel Corzo ) and server security (who can access the computer a database resides on – Responsibility of another IT Director who has now resigned). The server security was compromised at MCCCD not the database security.

5. MCCCD hackers gained root access to MCCCD servers. Protecting the database servers from hackers that had gained root access was not Mr. Corzo’s responsibility. This was the responsibility of another IT Director. Identifying network intrusion was not Mr. Corzo’s responsibility either. Mr. Corzo has never been responsible for Network or Security in his entire career at MCCCD.

6. In August 2013, Mr. Corzo was invited to a meeting with Kroll w/ no prior notice. He was asked to recall an event that happened in 2011. Kroll gave him no time to review anything and no indication  of what the meeting was about. Rather than trying to recall events from 2 years ago, Mr. Corzo wanted to go back to his emails and documents from the time of the event and review the information. Instead, Mr. Corzo was pressured to recall events on the spot. Mr. Corzo told Kroll that he would get back to them once he have had a chance to review emails and other documentation. They never bothered calling Mr. Corzo back. Mr. Corzo designed and implemented many of the systems still in use today at MCCCD. Mr. Corzo has been involved in MCCCD IT Leadership positions for nearly 20 years. MCCCD decided that Mr. Corzo institutional knowledge of their ERPs databases, identity management and other systems was of no significance to help protect MCCCD after the FBI notification in April 2013. Instead, MCCCD decide to hire investigators, leave their IT experts out of the loop, pay the learning curve and delay public notification for months. That too could have been avoided had staff with instotutional knowledge been asked to participate after April 2013.

7. The reason Mr. Corzo said ‘what breach?’ during his interview with Kroll was b/c to his knowledge at the time the 2011 event took place, it involved only 200-300 people and NONE of the databases he was in charge of were compromised in 2011. Furthermore, the person with all the knowledge of the investigation was another IT Director and his team. Security investigations at MCCCD were on a need to know basis. Only those appointed to work on the team had full knowledge. Mr. Corzo appointed the best member of his team as requested by Mr. Monsour to help with the investigation.

8. This was a high profile issue to Kroll, b/c they had been involved in the investigation for months. In August, when Mr. Corzo’s first meeting with Kroll took place, that was his first introduction to what happened in 2013. He had no idea that 2013 was connected to 2011. He did not realize what had happened in 2013 until later. They never contacted Mr. Corzo after the FBI notified MCCCD in April 2013.

9. Kroll blames Mr. Corzo for not making himself more available in 2011, even though he was onsite present, working with his team and working with Mr. Monsour around the clock. It is ironic that after the FBI notified MCCCD of the 2013 breach, MCCCD did not contact Mr. Corzo or Mr. Monsour until August 2013. We are sure that Mr. Corzo and Mr. Monsour could have helped prevent the mess that followed the 2013 incident had MCCCD contacted them.

10. True, there was not supposed to be any databases on the breached webserver. Mr. Corzo would have never allowed that. None of the databases he was responsible for resided there. However, another Director in IT and the marketing Department placed databases there without Mr. Corzo’s knowledge. Mr. Corzo did not have access to any of these databases and neither did his staff. These were not databases (1098-T and related front end software) that Mr. Corzo was responsible for. These were the responsibility of the Marketing Dept at MCCCD.

11.  Mr. Corzo responsibilities were only for SQL Server and Oracle databases supporting the ERPs system.  Mr. Corzo had no authority or responsibility for MySQL databases that were supporting the 1098-T database mentioned by Kroll.

So, it looks like they found someone did something wrong but they didn’t quite get the name of the person right. A few people have described what’s taking place as a witch hunt.

Leave a Reply