You may not be reading much in the news recently about the breach involving Maricopa County Community College District (MCCCD), but there’s a lot going on. Unfortunately, MCCCD has reportedly not been particularly forthcoming with records that might shed light on what really happened back in 2011 when MCCCD was informed by the FBI that some personal information from one of their servers had been found for sale in the underground markets. Did MCCCD implement the necessary protections to prevent another breach of the same type, or did they fail to implement adequate security protections, enabling their massive 2013 breach? [Previous coverage of the MCCCD breach on this blog can be found here, here, here, and here].
Although MCCCD appears to be blaming an employee or two for the 2013 breach that affected 2.48 million students, former and current employees tell a significantly different story. There is now a website about the breach where they share some of their concerns.
In addition to the above, DataBreaches.net has heard from another former employee in MCCCD’s IT department who tells a frightening story of lax security with respect to credit card information and Social Security numbers. When asked about the 2011 breach, the employee stated:
MCCD did not have an incident response plan at that time and I believe that the information never left a select group of IT Administrators.
While that seems to provide partial support for any claims that high-level administrators may not have been fully informed about the 2011 breach, it also suggests that their own failure to have an incident response plan contributed to the situation. The same employee also stated she made numerous attempts to get administration to address security concerns – all to no avail.
In December and January, the law firm of Gallagher & Kennedy filed notices of claim on behalf of two clients whose data were involved in the breach.
This week, they filed suit to compel MCCCD to produce its public records relating to the two data breaches. According to their press release of today, MCCCD did not provide a single document. In their complaint, they allege that MCCCD did not respond to requests for records concerning the 2011 incident, and that MCCCD’s law firm cited “pending employment actions” (and employees’ privacy and due process rights), and not wanting to give hackers a “roadmap” as their justification for not providing responsive documents in a timely fashion. MCCCD’s external counsel’s responses to G&K’s public records request are Exhibits I and K in the request for an Order to Show Cause.
DataBreaches.net notes that not only has MCCCD seemingly not produced even a single document in response to the G&K’s public records request, but they have reportedly actively attempted to recall records they had previously released to others.
The 2.4 million students affected by a breach that may well have resulted from MCCCD’s failure to respond appropriately to the 2011 incident deserve real answers and accountability.
The taxpayers whose hard-earned dollars support MCCCD deserve real answers and accountability.
Those of us concerned about data security and privacy protections need transparency so that we can all learn what went wrong, in the hopes others will not repeat any errors made by MCCCD.
I do not doubt MCCCD’s lawyers’ claims that MCCCD has 743 terabytes of information, but if ever a breach involving a public entity demanded transparency and accountability, this is it. DataBreaches.net urges the court to order MCCCD to start producing responsive documents promptly.
Update: The Arizona Republic subsequently reported on the issue of MCCCD’s failure to produce responsive documents, as they are also seeking public records in the case. DataBreaches.net is not as concerned about obtaining MCCCD’s contract with external counsel, although that’s certainly an issue of public concern and right to know, but this blogger would definitely like to see the 2011 report and recommendations following the first breach, and correspondence concerning whether the recommendations were implemented and might have prevented the massive 2013 breach.
While it may be true that MCCCD has 743 TB of information (most of it coming from useless copies after copies of their large ERP systems), MCCCD can easily retrieve most of the records being requested via simple queries against their Google E-mail system used for employee emails. Most of the other information being requested is easily retrievable and has previously been produced in past record requests. Failure to produce a single document months after requests were made should give an indication to the State Attorney General Tom Horne, the State Ombudsman Dennis Wells and even the North Central Accreditation that it is time to get involved. When educational institutions don’t want to turn over documents like the law requires, it’s safe to make the assumption that they have something to hide.
A petition in now online demanding that the MCCCD Governing Board take action in the matter of the 2013 data breach. So far, the MCCCD Board has taken no action regarding issues of lack transparency and lack of accountability at the top. It has been over 10 months since this breach took place and lawsuits are starting to pile up. Taxpayers deserve better than this in a publicly funded institution. Home-owners and students should not have to pay for this mess with tuition increases and additional tax levy.
http://www.change.org/petitions/public-audience-demand-transparency-from-mcccd-sign-the-petition-2