DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The Maricopa County Community Colleges District data breach investigation they didn’t want us to see

Posted on September 30, 2014 by Dissent

In January 2011, DataBreaches.net reported that login credentials for the Maricopa County Community Colleges District (MCCCD) were up for sale on the black market. That month, the FBI also contacted Maricopa to alert them to the breach. In response to the incident, MCCCD brought in Stach & Liu (now Bishop Fox) to investigate and make recommendations.

Following MCCCD’s  second – and massive – data breach in 2013, this blogger filed a formal complaint with the FTC (pdf) asking them to investigate MCCCD’s data security and to take action to protect the financial and personal information of students, vendors, and staff. Yesterday, EPIC filed a supplemental complaint (pdf), also calling on the FTC to investigate and take action against MCCCD to protect personal information.

Today, in the first of what is expected to be a series of reports, DataBreaches.net is disclosing what Stach & Liu found in their preliminary investigation of the 2011 breach. In February 2011, they reported that the Application level, they found:

  • Comprehensively insecure code with systemic critical flaws like file inclusion and injection
  • Hundreds of attacks per month as far back as analysis was performed for file inclusion and SQL injection; and
  • No secure coding practices identified whatsoever

For the compromised web server, they found:

  • All LAMP systems are running out-of-date versions
  • 5 LAMP servers were backdoored with web shells
  • Up to 29 virtual hosts were stored on a single server
  • Blank passwords SSH keys were used to connect between systems; and
  • Shared filesystems were used bewteen public web servers

Their findings from investigation at the database level revealed:

  • 29% of passwords were re-used
  • 21% of passwords were cracked in seconds
  • 2 databases were poisoned with credentials to FTP
  • Up to 140 databases were stored on a single server; and
  • Databases dating back to 2000 used cleartext or unsalted passwords with FILE privileges

Note: the databases referred to above were those residing on the compromised webservers and other virtual servers. These servers were managed by the server team and MCCCD’s Marketing Department – not the employees MCCCD subsequently fired and tried to blame for everything.

The Stach & Liu report pointed out the consequences of what they had found:

  • MCCCD had already experienced a data breach and loss
  • MCCCD systems had been included in a botnet
  • Backdoors were installed on servers
  • Servers had been abused for Pharma marketing (spam); and
  • MCCCD could experience brand and reputation damage

Stach & Liu made a number of recommendations for next steps in terms of assessment and remediation. As subsequent posts will illustrate, documents provided to DataBreaches.net – most of which have not been shared with the public under open records requests – indicate that MCCCD never fully implemented the recommendations of its consultants, its own employees, or state auditors who, year after year, noted data security control concerns.

Category: Commentaries and AnalysesEducation SectorU.S.

Post navigation

← Four hackers charged with stealing $100m in US army and Xbox technology
Miami-Dade County Resident Sentenced For Identity Theft Schemes Involving Fraudulent Social Security Benefits And Income Tax Refunds →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.