NOTE: Do NOT contact me about this settlement or expect me to help you file a claim or anything. I am just a breach blogger/citizen journalist and advocate, but I am not your advocate. Do NOT post your details in comments, either. Follow the directions on the post card you received or go to http://www.mcccdclassaction.kroll.com and follow the directions there.
From the does-anyone-but-me-give-a-damn dept.:
Remember the MCCCD data breach in 2013 that I have not only ranted about, but also filed an FTC complaint about under the Safeguards Rule? To date, it is the largest data breach ever in the U.S. education sector. [For earlier coverage, search this site for MCCCD].
Now Will Stone of on KJZZ reports that there’s a proposed settlement to a consolidated class action lawsuit over the breach. The proposed settlement would give class members an additional year of credit monitoring and restoration services, would give named plaintiffs up to $1500, and would provide a promise to try to comply with a June, 2014 state audit that found infosecurity deficiencies (still). Attorneys for plaintiffs would get up to $2.4 million if the court approves their request.
MCCCD had already offered free credit monitoring to the 2.4 million students, vendors, and employees affected, as SSN and other identity information was stored on the servers and may have been accessed. One of the curious aspects of the entire incident was that although the FBI notified MCCCD on April 29, 2013 that 14 databases were up for sale on a website, MCCCD never disclosed exactly what was in those 14 databases – instead talking about what was stored on the servers and what “may have been” accessed. Worse, their response to the breach was bungled so badly that no one could eventually figure out exactly what was accessed. At the very least, though, they should have been able to identify what was in those 14 databases that the FBI reported were offered for sale.
Over the following year – as MCCCD tried to protect its chancellor and management from accusations that they had ignored repeated audits and advice of their IT security professionals, and as they busily threw employees under the bus – three potential class-action lawsuits were filed, each alleging concrete injury.
So with concrete injury alleged, why would the lawsuits settle for only another year of credit monitoring and restoration services?
In response to an inquiry from DataBreaches.net, MCCCD spokesperson Tom Gariepy sent a copy of an email the Chancellor has sent to all employees about the settlement.
Dear Maricopa,
Data security issues that came to my attention in 2013 as a result of an incident led several plaintiffs to file lawsuits against MCCCD. The plaintiffs claim that they were harmed because the District took insufficient action to protect their personal identifying information from possible exposure to unauthorized access. In the lawsuits, there was no evidence that any personal identifying information was actually accessed by any unauthorized party. MCCCD denied the legal claims and immediately moved to dismiss them.
However, to ease any ongoing concern and resolve the lawsuit without further legal expense, the Governing Board has approved an amicable settlement negotiated by counsel for the parties. The settlement offers members of the class an additional year of Kroll’s One Bureau Credit Monitoring, Consultation, and Restoration Services.
Members of the class will soon receive a postcard explaining the options available, and referring them to a website (http://www.mcccdclassaction.kroll.com) for more information. The site contains an example of the postcard. It also contains contact information for legal counsel appointed to represent the class, who will respond to your questions about the terms of the settlement and your options.
It is likely that you are a member of the class: (1) if you were a Maricopa employee, student, or contractor on or before November 27, 2013; or (2) if you received a letter notifying you of the security issues and offering you free credit counseling, monitoring, and restoration services. I urge you to look for the card in the mail and when you receive it, to take advantage of the services being offered.
MCCCD takes security of the data it holds very seriously and since the incident, has invested heavily to upgrade its systems and software, secure its data, and hire and train additional staff to provide continued data security.
Sincerely,Rufus Glasper
A copy of the settlement agreement can be found here. The approved proposed settlement order can be found here (pdf). It’s not clear from the Chancellor’s e-mail whether MCCCD’s insurance will cover the costs of the added credit monitoring, attorneys’ fees, plaintiffs’ awards, and costs of repairing and improving infosecurity. The breach had already cost MCCCD approximately $20 million by early last year.
Of note, the settlement papers reveal that there was actually a prosecution for hacking in the wake of the breach. David Jules Axelrod (age, location, and date of birth unknown to DataBreaches.net) was prosecuted in federal court in Phoenix in 2014 on a misdemeanor charge under CFAA. Axelrod pleaded guilty, and in his statement, he said:
On or about April 28, 2013, I, David Jules Axelrod, used a software program and discovered that I could access a portion of a computer server at Maricopa County Community College District (MCCCD). […]
The information I obtained consisted of MCCCD database files. None of the information I accessed from these database files contained any Social Security numbers, birth dates, motor vehicle information, driving record information, addresses, telephone numbers, place(s) of employment, e-mail addresses, or financial information. Also, there was no information regarding employees, vendors, or other third parties in the files I accessed. I did not retain any copies, electronic or otherwise, of the information I accessed. I had no intent to and did not profit from accessing MCCCD’s information. I did not attempt to sell the information or otherwise publicly disseminate it. I am not aware of anyone else maintaining copies of the MCCCD information that I obtained.
In December, 2014, Axelrod was sentenced to one year of probation on the misdemeanor charge of Obtaining Information by Computer in violation of 18:1030(a)(2)(C) and ordered to pay a $25.00 special assessment.
Axelrod’s statement was included in the settlement papers, and may have been used to suggest that the breach wasn’t that bad and/or that plaintiffs would have an uphill battle linking any fraud to this breach. Attorneys for the plaintiffs in the consolidated case have not responded to inquiries from DataBreaches.net as of the time of this posting. But Axelrod’s statement, if true, is in conflict with the FBI’s finding that 14 databases were being offered for sale in April, 2013.
Under the circumstances, and assuming the truth of Axelrod’s plea, it appears that there may be another hacker or other hackers involved. Attempts by DataBreaches.net to find out if there has been any other prosecution for the MCCCD hack have been unsuccessful so far, but an MCCCD spokesperson said that to their knowledge, there have been no other prosecutions. They also confirmed that Axelrod was not a student at MCCCD or affiliated with them in any way at the time of the hack.
DataBreaches.net also asked MCCCD whether either the U.S. Education Department or the Federal Trade Commission had ever contacted MCCCD about the breach or investigated it.
The answer to both was “no.”
And that, folks, is an epic #FAIL on both federal agencies’ part. Universities and colleges contain a wealth of personal, financial, sensitive, and medical information on students, and no federal agency looks at or enforces data security? Even when 2.4 million were notified of a breach? Would MCCCD be just promising to try to comply with recommendations if the FTC came down on them – or would they actually comply and comply more promptly? I guess we won’t know.
C09890199 Not sure exactly what to do but this the number that was on the post card. Will await for further information. Thanx
I can’t tell if this is spam or you’re really responding to that post. What postcard? From whom?
C09426374 here is the number on the post card sent to me about class action law suite not sure what to do with it but would like to file claim. Please advise me. thank you
You need to follow the directions on the web site as to how to file the claim. They gave you a web site address for the settlement on the card, didn’t they?
December 8,2015 @3:30 pm.
How do I do this? No information to be found
Start here and follow the instructions: http://www.mcccdclassaction.kroll.com
I have very poor vision and would like to receive a call from someone regarding this matter, How can I determine if my personal information was affected? Thank you.
I have deleted your phone number. This is a breach blog, not a helpdesk for breach victims. If you got a postcard, follow the directions, or have someone look at the settlement web site for you and call them for you if they list a phone number.
This is very confusing. The postcard refers to the lawsuit settlement and how to file a “claim.” However, the company you reply to is Kroll, the people contracted, by the District, to provide “monitoring services” to those who signed in and asked for it 2 years ago. Two points – First, this service appears to be the same one offered to everyone from the very beginning. Over 2 million people. Second, Kroll gets paid for each person who voluntarily signs up. Oh wait, there is a third and fourth. Third, shortly after the issue in 2013, Kroll’s company site was hacked. Confidence? And forth, according to the reports after the breach, a very small percentage of people elected to receive this Kroll monitoring service. Now, 2 years (and millions of dollars wasted in legal fees and security “experts”) later, it sounds to me like a last ditch attempt by Kroll to get more revenue and justify the need to spend more taxpayer money, in the name of settling a class action suit. Sounds like the District gets off the hook, Kroll increases their revenue, and the taxpayer pays the bill. The District Administration, legal couunsel, contracted attorneys and the governing board should all be investigated by an independent group of investigators. The problem seems to be that no government, municipality or law enforcement entity wants to own up to having any form of jurisdiction. Funny for a business that spends about a billion and a half dollars a year. Lots of questionable things going on there. But what else do you expect from an institution whose leaders can dictate their own compensation and benefits/rewards, while at the same time giving absolute authority to the Chancellor (can anyone say “dictatorship”), removing decision making from the Governing Board, per inappropriate advice of highly paid internal counsel and outside contract attorneys, in violation of Arizona statutes. Who has the guts to take on this drama and make these abusers of public trust accountable for their actions? They have obviously had no problem abusing those concerned individuals and groups who have shared true and accurate information in the past few years, identifying gross mismanagement, discrimination, favoritism and abuse which led to these issues which threaten the health, reputation, fiscal position and possibly even the future survivability of the District.
I wasn’t impressed with this settlement, and lawyers for the plaintiffs did not return my inquiries as to why they settled for only 1 year more of credit monitoring, etc. If 14 databases were up for sale on the dark market, were the data bought by anyone who will misuse it in three years from now?
And yes, I screamed repeatedly that the US Education Dept and FTC should investigate this breach and the District’s infosecurity and response. Nada. But if those directly affected don’t speak up and demand accountability, it’s not going to happen.
PLEASE INCLUDE ME IN CLASS SETTLEMENT.
Nope. I am a journalist, not a service. Include yourself by going to the settlement site and following the directions.
I agree with most of the above comments; I can’t find anything legitimizing this offer.n
This is whole thing seems like a total, “FUBAR” situation regarding Maricopa County’s assessment and reaction to the data breach. Allow me to elaborate – by the numbers;
1.) December 11th, 2015 – Received post card today.
2.) I went to Scottsdale C.C. for one semester back in 1975. That’s not a typo. I’m talking about 40 years ago.
3.) Incident/Data Breach occurred over two years ago and I received first notice today. Before now, I’d not heard about any of this.
They sure are handling things in a timely manner, eh?
Best Wishes!
Yikes! But there are other schools/certification programs that use MCCCD that might be the way MCCCD got your details (apart from one course in 1975). They run courses for paramedics and other types of service providers. Some people who took courses or certification training in fields didn’t realize that their data was going to MCCCD.
Greetings Again,
I understand the possibilities you’ve mentioned. However, I moved out of Arizona in early 1976 and went to L.A. for a brief while. After that, I have lived either abroad or on the East Coast of the U.S.since 1977!
A thought did come to mind though after I posted my first comment. It came to me after I reread what E. M. posted above in comment #4. Please allow me to quote from his comment;
“…..it sounds to me like a last ditch attempt by Kroll to get more revenue and justify the need to spend more taxpayer money, in the name of settling a class action suit.”
I’m generally suspicious by nature and considering my details (and what E.M. offered up) I couldn’t help but picture a scenario at Kroll where someone came up with the bright idea to contact everyone who was ever in the MCCCD system. Maybe even making an avarice inspired attempt to go back to day one of the MCCCD, whenever that was.
Since E.M. also stated that Kroll gets paid for each person who voluntarily signs up, it may just be they’re trying to increase the number of potential enrollees. It might explain why they have bypassed me until now, well over two years after the fact and just over 40 years after my one and only semester in their system. You never know but strange things do happen when proven incompetence and potential greed get mixed together.
So, in closing, I will say that I hope all works out well for you in accomplishing your mission and the best of luck to you.
By the time I got the notice in the mail that they sent to my old address someone out of the country was already using debit card abroad
I have become a victom of identity theft. This must be the reason why. Any resolution of my situation would be acceptable.
To be clear, this breach doesn’t have to be the reason why you became a victim of identity theft. There have been numerous big breaches involving identity information.
My number on the post card I received is:C10214295
I have no idea why people are posting their numbers on this blog. There’s nothing this blog can do for you. Just follow the directions on the settlement site or opt out of the settlement.
have no idea what this is for, did not attend the community college, but may have taken classes for my licensure (lisac), tht would include this–what is this for