Maricopa Security Breach

The rest of the story

By

Letter sent from MCCCD to employees to turn over documents

Here is the letter employees received from Jim Bowers, Interim VC of HR at Maricopa Community College District to turn over documents and any confidential and higly sensitive information regarding the MCCCD network.

These letters contain additional threats of disciplinary action. MCCCD has not only denied employees the opportunity to obtain documents necessary to defend themselves, they are now threatening with additional disciplinary actions if the employees do not surrender the few documents that they have and have officially obtained via records request.  These documents are proof that the Chancellor and Vice-Chancellor of ITS were told about the security breaches that ultimately led to the 2013 incident. These documents do not contain any sensitive network information that would put the public at risk.  The biggest risk to the public is an administration that does not listen to their employees and fail to follow establish policy meant to protect the organization.

Mr. Monsour and Mr. Corzo were not responsible for the Network at MCCCD. All sensitive information about the MCCCD network resides with MCCCD and the individuals in charge of the Network.

ITS at MCCCD has seen nearly a 50% attrition. Nearly 60 employees have left the department since 2011.  MCCCD has publicly shared information about its network and vulnerabilities.  MCCCD has publicly acknowledge in the Board minutes from 11/2013 that its environment may not be secured (See below).  These factors by themselves present more risk to the public than anything else.

The section below came from the 11/12/2013 MCCCD Governing Board minutes.

It makes you wonder how secure MCCCD is today and whether the college web sites are secure. MCCCD reported in a press release in May that the main Maricopa web server compromise had the potential to infect the college web servers as well.  It may be time for the State Auditors to do an IT audit before something bad really happens again.

Non-Consent Agenda

FOR WEB REMEDIATION CONSULTING SERVICES

This is a follow-up item to move to a One Maricopa enhancement effort. It’s a three-phase system. Once Eagle Creek has assessed the existing web infrastructure,

1) they will help with web maintenance (there are over 10,000 pages),

2) they will look at the web infrastructure and fix pages that are not working, and

3) they will rebuild the entire web system into a secure and well run single entity (currently there are 50-60 systems currently running).

It will take approximately 18-24 months to fix.

o Will Maricopa contract out maintenance or can it be supported in-house upon completion? (IT will create a web team trained in the use of the new system and work with a marketing team to deploy content. There will be both dedicated technical and marketing staff. This effort is only for the District’s web page; it does not include the college pages.)

o How can we justify to tax payers that it will take 18-24 months to fix while leaving us vulnerable to hacking? (Hacking is being addressed right now—it is not dependent on this effort. It will take time because not everything is running parallel. The vendor is going through the websites and making sure they work properly but there are over 90 with about 25 pages per group; it would require hundreds of web programmers to reach out to all the end users if they tried to do it all at once.

The District web has grown organically since its inception and it now has to be standardized. Once the system has been cleaned, the recovery time will be much better in future situations (less than a week).)

letter 001

letter 002

letter 003

Leave a Reply