The Maricopa County Community College District announced Nov. 27 that it is notifying approximately 2,489,000 students, employees and suppliers of its colleges that their personal information may have been exposed without authorization.
As a result of the district’s IT security vulnerabilities, certain sensitive information including individual names, dates of birth, Social Security numbers and bank account information, but not credit card information or health records, was exposed. The district is not aware of any evidence of actual misuse of any personal information, according to a press release.
“On behalf of the district, I deeply regret that this occurred and am leading a thorough response designed to prevent this from happening again. We are examining every aspect of our IT operations, and the changes underway are making us stronger system-wide," MCCCD Chancellor Rufus Glasper said in a press release.
“While we are not aware of misuse of anyone’s personal information, we are providing resources to assist all of the people whose information was in these systems, including credit monitoring and other identity safeguards, managed by a nationally known identity protection firm,” Dr. Glasper said.
District officials first learned of IT security problems from federal law enforcement on April 29, 2013, and began an investigation. Forensic experts were retained to assess and strengthen the operations of district data systems and to examine whether any sensitive information was accessed or exported, according to the release.
In addition to cooperating with an ongoing law enforcement investigation, the district informed the Arizona Auditor General’s Office of this situation and has provided extensive briefing to this regulatory body. The Higher Learning Commission also has received extensive briefing concerning this situation. Regulators outside of Arizona also have been contacted consistent with legal obligations, according to the release.
The investigation involved multiple servers and systems and an extensive review of data, operations and processes over several months. The investigation found employee conduct that did not meet the district’s standards and expectations, and appropriate employment action is being taken, according to the release.
After learning of the incident, Dr. Glasper ordered action including:
·Initiating immediate actions to strengthen security and take offline portions of its IT systems with security vulnerabilities until improvements could be completed;
· Installing new security technology, including firewalls, real-time blocking and monitoring functionality, and other security protections;
· Conducting a comprehensive review by independent experts of all IT security policies and procedures and implementing increased security measures;
·Taking employment action in connection with employees whose conduct did not meet standards and expectations, and making personnel changes as warranted.
The district has contracted with Kroll Advisory Solutions to provide identity safeguards and other services for one year at no cost to the individuals who are being notified by letter that their data may have been exposed.
The Maricopa Community College system is made up of 10 colleges – Chandler-Gilbert, Estrella Mountain, GateWay, Glendale, Mesa, Paradise Valley, Phoenix, Rio Salado, Scottsdale and South Mountain. There are also the Maricopa Skill Center and the Southwest Skill Center, Maricopa Corporate College and several satellite facilities.