MCCCD restructures data security after incident
The Maricopa County Community College District security incident that occurred in April 2013 left nearly 2.5 million students’, employees’ and some vendors’ personal information exposed and could cost the District $14 million dollars in upgrades and victim credit protection.
According to Tom Gariepy, MCCCD spokesman, an estimated $7 million was spent on sending 2.5 million letters, providing free credit monitoring and aiding potential victims. The MCCCD governing board approved another $7 million dollars for repairing and upgrading the District’s security system. Whether insurance will cover some or any of the cost is still unsure, Gariepy said.
MCCCD first learned that its server data might be at risk in April 2013 when District was contacted by FBI officials about a website advertising that they had Maricopa college students personal information for sale, Gariepy said. Following up on those claims, the website was found to not have any personal information at all. The Incident led MCCCD to look at its security, which involved months of examining multiple servers and millions of units of data, figuring out any security risks, confirming them and replacing them, Gariepy said. Those whose data was exposed were not notified until November of that year because of the extensive review of the District’s security and the nature of the breach.
“We don’t have any evidence that anybody came in and breached the system, but we also don’t know that anybody didn’t,” said Gariepy
While no security breach could be confirmed, MCCCD decided out of good faith to help those whose data could have been exposed, Gariepy said. MCCCD has offered one year of free credit monitoring and identity theft protection provided by Kroll Advisory Solutions for those whose data was exposed. The service not only offers protection, but also helps fix and remedy the situation. The free credit started last November and those still looking to sign up can still get most of the year, but Gariepy stresses to sign up as soon as possible.
Those who were affected include current and previous students, current and previous employees, and a small number of vendors, Gariepy said. People with ties to any of MCCCD community colleges as far back as the ‘80s and ‘90s were also affected, Gariepy added.
“I got a letter and I wasn’t sure if it was real or who the community college even was,” said Arturo Gonzalez, who attended an MCCCD college 11 years ago. “I wasn’t even sure what information they had or why they still had it.”
Why this data was still stored and held for so long was a question even MCCCD couldn’t answer, but changes are coming.
“One thing this security incident has done is caused us to start taking a look at what our data retention policies are,” said Gariepy. “We are looking at how much of this data has to be kept and whether some of this data can be archived or gotten rid of.”
Data retention changes are not the only thing MCCCD has done or will do to insure protection of personal data going forward. For security reasons Gariepy couldn’t be specific about new precautions, but MCCCD will be looking at hardening data to make it as secure as possible, upgrading firewalls and regularly monitoring the security system for any holes. “MCCCD has taken lots of steps securing data going forward,” Gariepy said, “and we are trying to make our systems as fool proof as possible.”