Maricopa Community Colleges Data Breach (2013)

The Maricopa County Community College District waited seven months to notify 2.4 million current and former students and employees that their academic or personal data were compromised in an April security breach. The districts governing board has already approved several million dollars for repairs, which are still being made, and on Tuesday agreed to spend up to $7 million more to notify everyone who is potentially affected, spokesman Tom Gariepy said Wednesday. Letters will be sent to current and former students, employees and vendors of the districts 10 colleges going back at least several years to alert them that their information could have been seen, Gariepy said. Among the vulnerable data were employees Social Security numbers, drivers-license numbers and bank-account information, he said. Students academic information also may have been exposed, but not their personal information. There is no evidence that any information actually was looked at or stolen, Gariepy said. A company has been hired to handle questions and assist people who may have been affected. The FBI notified the district on April 29 that it found a website advertising personal data from the districts information-technology system for sale, Gariepy said. The districts website was taken down that day and stayed down for several days before being restored in stages. Gariepy said the district didnt release information about the event at the time because it was investigating the extent of the exposure. There was a tremendous amount of data, and the forensics investigation around this was very complex, he said. They had to look at a number of different systems and servers and databases. It would have been nice to say something earlier, but we couldnt give anyone information until we could say it with certainty, even if its not conclusive. At the same time, the district was repairing its information-technology system and didnt want to publicize that it could be vulnerable, he said. Gariepy said the district has installed more firewalls and security procedures. He also said some employees in the information-technology department face disciplinary action. He would not elaborate. We started immediate steps to make the system secure, and its become progressively more secure as time has gone on, he said.