Maricopa Security Breach

The rest of the story

By

Analysis of Board Minutes after 2013 MCCCD Security Breach

The following blog contains a review of items as they relate to the 2013 Maricopa Community College security breach and as documented in the MCCCD Board Minutes from April 2013 until February 2014. Board minutes are available online. Click on the Motion number link to see the details. Here are additional resources and news coverage if you are interested.

 See observations and commentary below.

Board spending

We have used existing Board minutes to document Board items since the 2013 security breach. A few things are not very straight forward and others may need more explanation for the public to understand.  

Date

Event

IT Budget

Request

(Millions)

from

Board

Security Breach

Legal Fees

(Millions)

from

Board

Board

Motion

4/2013

FBI Notifies MCCCD of breach

4/9/13 – Board Meeting

Nothing related to security discussed

4/23/13 – Board meeting

Nothing related to security discussed


Conceptual approval of $15 million for Student Information System Upgrade from Oracle

 

V.A.2 APPROVAL OF RESOLUTION AUTHORIZING SALE AND ISSUANCE OF $151,090,000 AGGREGATE PRINCIPAL AMOUNT OF MARICOPA COUNTY COMMUNITY COLLEGE DISTRICT OF MARICOPA COUNTY, ARIZONA, GENERAL OBLIGATION BONDS, SERIES 2013 —

 

 

$15m

 

 

10046

5/14/13 Board Meeting

Nothing related to security discussed

5/21/13 Board Meeting

Approval of IT single sign-on Seamless student experience project $559k

 

Conceptual approval of ‘IMPLEMENTATION’ of IT Financial Management System from Oracle $7.5 million.

-

Conceptual approval of Peoplesoft Financial System from Oracle $1.1million

Nothing related to security discussed

$.559m

 

 

 

$7.5m 

 

   

 

$1.1m

 10058

 

   

-

-

-

10059

 

 

-

-

10060

6/11/13 Board Meeting

Nothing related to security discussed

Chancellor’s evaluation

6/25/13 Board Meeting

 

1st vague mention of security issues
-

Approval to increase expenditure for web security. Contract with Bishop/Stach & Liu through 2013 $2 million

-

Approval of another IT Project. Ratification of awards contract with Oracle for 545K for an Identity Management System and $1.7 million for Encryption services (7/23/13 Meeting)

  

 

$2m

 

 

 

 

$2.25m

 

  

10077

 

 

 

 

10094

7/9/13 Board Meeting

Nothing related to security discussed

7/16/13 Board Meeting

Nothing related to security discussed

7/23/13 Board Meeting

Nothing related to security discussed

Approval of Eagle Creek Contract for $326K for web remediation consulting services

 

 

 $.326m

 

 

 10093

7/30/13 Board Meeting

Nothing related to security discussed

8/13/13 Board Meeting

Nothing related to security discussed

8/27/13 Board Meeting

Nothing related to security discussed

9/10/13 Board Meeting

Nothing related to security discussed

9/24/13 Board Meeting

Nothing related to security discussed
-

Approval of 2.1 million in legal fees to Wilson Elser.

 

 

 

$2.1m

 

 

 

10114

10/15/13 Board Meeting

Nothing related to security discussed


Approval of Chancellor’s 3 year contract comes up

 

 

10117

10/22/13 Board Meeting

Nothing related to security discussed 

Approval of Chancellor’s 3 year contract on Board agenda.
-

Chancellor’s contract removed from consideration

 

Approval of another IT project. Student Information System Financial and Regulation Support 646K

 

 

 

 

 

 

 

 

$.646m

 

 

 

 

 

 

 

 

10118

11/26/13 Board Meeting

Approval to increase web remediation consulting services by Eagle Creek. Phase 1 is an assessment of the web situation. Notice the date for this step

$2.6m

10112

11/25/13

ITS employees notified of accusations

11/26/13 Board meeting

Approval of Fees and Costs for Wilson Elser lawfirm not to exceed 7 million. This is very vague and mentions costs for a consultant contracted through Wilson Elser to provide services relating to MCCCD’s One Maricopa Security Enhancement project
-

Approval of the Chancellor’s 3 year contract

$7m

10123

11/27/13

News break on Maricopa security breach

12/10/13 Board Meeting

Approval of authorization of date extension for web security consulting services under a contract with Bishop Fox 

-

Approval of authorization for legal fees for Wilson Elser for $2.7 in addition to the 7 million approved before

 

  

 

 

 

$2.7m

10128

  

 

 

 

10129

1/28/2014

Citizens ask the Board to place Chancellor and acting VC of HR Jim Bowers on Administrative leave during the Governing Board meeting on 1/28/2014  (see appendix of Board minutes)

2/25/2014

MCCCD Governing Board called on to fire Chancellor during 2/25/2014 Board meeting. See video.

Proposal to increase both tuition for students and the tax levy for county property owners for 2014-15. This generates $25.5 million for the district.

About $7.4 million of that would go to the information-technology department to hire more staff while at the same time outsource projects to the cloud.  Interesting!  

  

Totals in millions since April 2013

$24.8

$17.1

Observations and questions that remain:

  1. After FBI notification IT projects started to appear in front of the Board for approval at unprecedented rates totaling over $24 million. Some of these projects were ‘conceptual’ possibly meaning little or no details.
  2. All these projects were approved only a few months prior to the Nov, 2013 announcement of the security breach
  3. Now, as reported by the AZ Republic IT is planning to hire 65 new people in IT.  
  4. At the 2/25/1014 Board Meeting ITS stated a desire to move projects to the cloud. Isn’t the cloud migration supposed to reduce not increase the number of staff you need to support projects?   Projects in the cloud aren’t automatically more secure than projects done in-house. More about the ‘cloud’ excuse in a later blog…
    Cloud = millions = loss of control = dependency = operational dollars = outsource = no local jobs = Oracle
  5. Where did the money from the 60 IT people who left the organization in 2011-2013 go?  Weren’t they permanent dollars?  Can that money be used to rehire?  
  6. ITS is understaffed and positions have not been filled yet projects are going to the Board to bring more technology into Maricopa.  At the same time, MCCCD wants to go to the Cloud. Where is the 5 year strategic and tactical plan for all of this?  How is MCCCD going to pay for this?  Capital, operational?
  7. After the Nov 26th announcement of a security breach, the public and the press have not had the opportunity to ask questions during a Board Meeting.  All commentary regarding this huge public issue has taken place behind Executive Sessions.  
  8. According to Board Minutes, it appears that MCCCD did nothing regarding the security incident until late June 25th, 2013 when the first contract with Stach and Liu went to the Board.
  9. Remediation services for the web problems were approved by the Board on 7/23/2013 long after the FBI notified Maricopa.  The language is extremely vague. The proposal lacks a funding source.  The language leads you to believe that MCCCD is still vulnerable.  This happens months after the FBI notification took place.  This happens months after MCCCD systems were brought back online.  Is web remediation taking place in late July?
  10. 2004 Bond dollars are being used to address the security breach, an unnecessary expense had the MCCCD taken action on the information that was provided. Projects like this Ratification of Oracle Contracts were approved on 7/23/13 to address the security problems. Furthermore, the Funding source for this motion was conveniently left out of the document. According to this motion $2.25M will be used  as follows:  $545,450.34 for an Identity Management Solution and $1,704,928.45 for Encryption services.  Now, if you read the AZ Republic article on how dollars are being spent you will see the following quote: “Thompson said the $2.25 million to Oracle is coming from the district’s $951 million bond program, approved by voters in 2004 for construction, renovation and technology”.  Interesting???
  11. One of the conceptual projects approved was $15 million for the Student Information System upgrade (note that this project does have a funding source attached). This project is interesting because it has a $2.4 million contingency associated with it.  That is quite a margin of error to play with when it comes to taxpayer dollars.
  12. Interestingly enough, none of the Security Related projects the Board has approved have a funding source associated with them 10077100931009410112,  1011410129
  13. The contract for Wilson Elser Lawyers was approved by the Board on 9/24/2013 according to Board Agenda items. How were they being paid before that?  Is this part of the total reported to the press?  
  14. The Wilson Elser contract does not appear to be online at this time. Was Wilson Elser part of the list of approved vendors by MCCCD?  Is there an RFP in place for Wilson Elser?  Was this a sole-source for millions of dollars? Were there other qualified and lower price firms in town?  Furthermore, this multi-million dollar contract was presented to the Governing Board for approval by the Chancellor.  This contract lacks details, funding source and it is extremely vague.  See for yourself.
  15. Are travel expenses for Wilson Elser being paid out of the $2.1 million dollars approved by the Board?  
  16. Chancellor’s contract is on and off the Board agendas in September and November 2013
  17. The Chancellor’s 3 year contract was approved on Nov 26th, 2013
  18. The first article about the breach hits the press on Nov 27th, 2013 titled ‘Maricopa Colleges waited 7 months to notify 2.4 million students of data breach’. Is this just a coincidence?
  19. The timing of the extension of the Chancellor’s contract and press notification of the breach is very interesting.
  20. It looks like Wilson Elser hired Kroll.  The date of this event is not clear in Board minutes. Kroll conducted an investigation that recommended that up to 2.4 million people receive identity theft protection.  Ironically, Kroll is the company offering protection for those people for a total of at least $7 million (depending on how many sign up??). Furthermore, the lawyers handling the legal fallout for Maricopa from the Kroll investigation are lawyers from Wilson Elser.  Here is the Board item for $7 million to Wilson Elser so Kroll can provide coverage for MCCCD students.  Why did they ‘forget’ to say Kroll in this contract and instead use ‘in fees and costs solely for a consultant…’   Do you see any conflict of interest?  
  21. There has been no discussion in public regarding the security incident after it was announced in 11/2013. It looks like all conversations are taking place in executive session.  Should this discussion be placed in the next public agenda?  Can personnel issues and public security issues be separated? This is a matter of public interest, however neither the public not the press are being allowed to ask questions in public.
  22. MCCCD is one of the most affordable education system in the state. Who benefits if it bankrupts? What is the cushion for MCCCD? Is it the $78 million fund balance they are now using to pay lawyers.  What happens if the fund balance runs out?  Where would the money come from?  Tuition seems to be the source unless someone decides to take some action.  You do the math.  If $17 million dollars were spent in legal fees in what appears to be just 6 months, what would it cost MCCCD if this problem was to linger for another 24 months?  Now, the hearings haven’t even started, the lawsuits have not been served and the number of lawyers involved in small.  That is all about to change and the burn rate is about to pick up speed.  What is the hourly rate for these lawyers? What if MCCCD needs to pay a class action settlement? What if MCCCD is taken to court b/c they refuse to release public records?  How much will tuition have to be raised?  What if there is no Bond for a few years?  How would this impact the community?
  23. Is this all worth the money over  what MCCCD has claimed to be a non-event?
  24. All of this makes you wonder, ‘WHO IS RUNNING THE SHOW? Who is making the decisions for MCCCD? Is there a bigger/larger agenda?
  25. Who is truly benefiting from all this chaos? This is a lose-lose situation for everyone in Maricopa except….

 

There are lots of questions and lots of money being spent in a very short period of time.  It is very unclear from Board minutes how transparent things are.  The timing of the spending does not coincide with what should have been efforts to notify the public very quickly. The 7 months delay notification according to the Board Minutes may have a lot to do with Maricopa taking no action, Maricopa not involving the right individuals, consultants having to ‘learn’ the systems, other agendas at play etc. Without an explanation, the action items in the Board minutes seem to indicate that MCCCD did not take this incident very seriously.  The spending in legal fees now seems to be astronomical at this early stage.  

Are we asking the right questions?

Leave a Reply