MCCCD ignored employees warnings, security breached

The consultant costs, legal bills, and news reports continue to mount in the wake of the revelation by the Maricopa Community College District Administration that a security breach may have compromised the personal information of approximately 2.4 million current and former students. But it is the breach of the public’s trust and that of former loyal employees that has some concerned.

Earl Monsour had great success in private industry for years before taking a position in the IT department at the Maricopa County Community College District. At this stage, Earl was no longer heavily focused on the financial aspect of life. He took the position in academia because he believed that after chasing the dollar for years, it was time to give back to his community. According to all accounts, Earl Monsour gave his community his all.

One former employee described Monsour as sometimes coming in at 5 a.m., working all day, going home for a bit, and coming later at 8 p.m. to work until the wee hours.

You have to wonder if Earl would take that time back. He surely could use that time.

Earl has Stage 4 cancer and believes that God is keeping him alive to see his twelfth grandchild born this spring.

According to employees, prior to a security breach of the system in January 2011, the IT department, which was under the supervision of Vice-Chancellor George Kahkedjian, was a chaotic and often hostile place. According to sources, Kahkedjian tried but could not seem to build a team. “There was no question the organization was crumbling,” says Martin Gang, Assistant Vice-Chancellor Information Technology/CISO with the Yosemite Community College District. A security breach was bound to happen because communication was difficult in the acrimonious atmosphere.

Earl Monsour

Earl Monsour

Despite the fact that Monsour had no control over operations of the computer system, he sounded the alarm. At the time, Monsour was only responsible for policy and had absolutely no authority to implement it.

As a matter of fact, the District did not have a CISO or a single individual manager responsible for IT security under Associate Vice-Chancellor Steve Creswell and Kahkedjian.

So when the District advised Monsour that Chancellor Rufus Glasper was recommending to the board that he be dismissed along with Miguel Corzo, who had been the Director of Strategic IT Common Systems before a 2012 reorganization by Kahkedjian, he was shocked.

Marty Gang shared Monsour’s feelings about the unjust scapegoating going on at the District. At personal and professional risk, Gang tried to come forward and share his truth. He knew he was virtually eliminating any chance of returning to the District he loves if he shared his truth, but he, like Monsour is driven to do “the right thing.”

Gang describes Monsour as an “outstanding IT professional, who is methodical. He comes from a private background, so he was very conscientious about costs. He would occasionally end up disagreeing with others because he wanted the work done right and not what was politically expedient.”

So, Gang reached out to the District…on numerous occasions. Finally in a letter dated November 24, 2013, Gang wrote, “I am writing this statement as I am aware of an investigation conducted on behalf of Maricopa. I have made repeated requests that Earl Monsour provide my name and contact information to the investigative team, and I am sure that he has provided that information. Despite having the contact information, no one has yet called, written or made any other visible attempt to contact me. Since I have direct material information as to the events that occurred in the discovery, identification and attempted mitigation of the security incident discovered in January 2011, I believe it is my responsibility to ensure that Maricopa receive this information so that any investigation conclusions would be based on all appropriate information.”

According to Gang, “At no time during my employment at Maricopa did Earl Monsour hold the position title or responsibilities of Director of Information Security. Under Darrel Huish’s leadership, the district did not have a CISO or a single individual manager responsible for IT security. During my employment at Maricopa ITS, I had several direct conversations with Darrel Huish and George Kahkedjian about the organizational structure and the absence of a formal CISO or Director of Information Security as I was trying to map future career options and understand why Maricopa ITS seemed to have a gap in its organizational structure. To the best of my knowledge, at no time while serving as Interim VC IT did Steve Creswell appoint a Director of Information Technology, nor did George Kahkedjian appoint anyone into that role.”

Gang writes, “After Rod Marten and I were transitioned from reporting to Earl to reporting directly to Darrel Huish, both Rod and I were assured by Darrel that Earl had been moved from all operational responsibilities and was moved to strategic planning and the writing of policy, guidelines and practices. This clarification of duties was repeated by Darrel to the entire senior leadership team. In addition, George Kahkedjian repeatedly stated at multiple senior leadership meetings that Earl was not responsible for any operational tasks. He was directly responsible to develop standards and policies. All operational responsibility for Infrastructure was the direct and clear responsibility of Rod Marten and me.”

Gang explains that the District had a network scanning tool (Nessus Vulnerability Scanner) that was to be used to scan the Maricopa ITS server environment four times each year.

The results were to be reported to Rod Marten, Rich Lang and the Server Team. According to Gang, “The server team would then build a plan and update/modify the systems to address the scan findings. While I supervised the network team in 2010 and early 2011, the system scans were completed and the information was shared with Rod Marten and his team.”

Doug Harper was responsible for “the installation, configuration and ongoing maintenance of the IDS/IPS system…Doug personally assured me that the original IDS was functioning in passive mode in February 2011, and that the new IDS/IPS would be functioning by May 2011,” according to Gang.

Gang claims that Harper “repeatedly stated he was concerned that migrating the IPS system to active mode would cause operational disruptions with some ERP system functions. Doug was directed to identify and obtain the assistance needed to make the security system fully functional. In May 2011, Rod Marten was assigned leadership over the network team, and I was transitioned to project management for the Oracle E-Business Suite upgrade project. Rod was informed at the transition that he needed to verify that the new Cisco IDS/IPS was fully functional and not disrupting applications. In August 2011, I spoke directly to Doug Harper and asked if the Cisco IDS/IPS system was installed and functioning, and he assured me that it was.”

In January 2011, it was discovered that a known hacker site was offering login account information for sale from Maricopa.

According to Gang, the investigation discovered that the main web server was “seriously compromised, all the way down to root access.”

The District hired the Stach and Liu security consulting firm. They were to uncover the full extent of the incident, identify mitigation strategies and attempt to identify if any data had been taken.

Earl Monsour was initially made responsible for being the liaison with the consultants. Within a week, Rod Marten took over that role. Marten and Richard Lang were the operational team with direct responsibility for the compromised systems.

Gang writes, “Several weeks after the security incident was discovered, Rod Marten shut down the investigation into any other systems and directly stated to me that he believed those searches conducted by Michael Cervantes were finding false positives. Given the information provided by Rod Marten and contrasting information provided by Rich Lang and Michael Cervantes, I disagreed with Rod’s conclusion and told him of my disagreement. However, the team reported to Rod and that was his decision.”

Because he was the individual who initiated the contract for services, Monsour received the 2011 security incident report from the consultant.

According to both Monsour and Gang, after receiving and briefly reviewing the report with Marten, Gang and Monsour emailed a copy of the entire report to themselves and Kahkedjian.

“As a direct result of the investigation and consultant’s report,” writes Gang, “Rod Marten was tasked to replace the web server. He originally believed he could easily replace the system in two weeks. After his initial efforts, he discovered the system was heavily interconnected. Rod then announced he believed that Maricopa ITS should instead purchase the web environment using a SaaS provider. After presenting his proposal to George Kahkedjian in late April 2011, George accepted the proposal, and Rod and I were both tasked with working directly with Marketing and Public Relations to identify system requirements.”

Gang says that when the process continued without positive actions, he shared the concerns with Marten and Kahkedjian.

Gang told them that the system must be replaced because it was so “severely compromised that there was no genuine assurance that it was clean.”

Before leaving in November 2011, he understood that Marten would have a new secure web environment by January 2012.

It didn’t happen.

Gang compares the situation to someone who has come home and finds that their window has been broken, and someone has entered their home. The intruder did not take anything, so the homeowner does not repair the broken window. The breach remains. Clearly, the homeowner does not take their personal security seriously. Therefore, they cannot be surprised when another intruder comes in and steals their belongings.

So he and many others were not surprised, but grievously disappointed, when the District announced that the system had been hacked after hearing from the FBI on April 29, 2013, that they had found a website offering data from the district’s IT system for sale.

The District claimed officially that the breach was not disclosed for seven months because the District was investigating the extent of the exposure. However, the disclosure was made only days after the District’s Chancellor had his contract renewed by the Governing Board.

The District announced that IT employees have faced disciplinary action. Their statement read, “We started immediate steps to make the system secure, and it’s become progressively more secure as time has gone on,” he said.

The District has incurred approximately $14 million in lawyers’ fees, security consultants, and the consultant’s marketing arm.

Linda Brown, an area resident, hopes to come before the Governing Board tonight to discuss the number of people who sent letters to the Chancellor in 2012 warning him about the IT issues. Brown believes that had the District listened to Corzo and Monsour and acted on the letters, it could have saved millions in taxpayer dollars by avoiding the 2013 security incident. She intends to call for an investigation by the Attorney General’s Office.

In 2012, Brown told the Board, “Vice Chancellor George Kahkedjian has stepped up his campaign of demoralizing, mistreating, demoting and otherwise abusing key staff members. He gives plum promotions to his pet employees even when they are not up to the tasks. Cronies who lack the required training and experience are put in charge of major costly projects that they have no business running while capable, experienced staffers are shunted aside. Vice Chancellor George Kahkedjian bullies and demotes those he doesn’t like, regardless of their competence.”

At the time of the 2011 security incident, Corzo, in his role of Director of Strategic Information Technology, was responsible for all the Enterprise ERP databases, Enterprise Identify Management System, Enterprise E-mail and Business Intelligence. None of these systems were compromised in 2011. The only compromise took place in the main Maricopa web servers – servers for which Corzo was not responsible. The responsibility for these servers and the small databases residing on these servers rested with then Assistant Director, Marten.

Managers like Miguel, who have dedicated their lives to the District, have been placed on administrative leave for no apparent reason, leaving the department virtually devoid of institutional knowledge. “This is the biggest risk of all,” says Corzo.

Miguel said, “We followed their chain of command, contacted their direct report, leveraged their representatives, sent over 12 letters to their Chancellor and as a last resort, contacted their Governing Board. No one cared to listen.”

Miguel Corzo

Miguel Corzo

Corzo, a very private man, said, “Ultimately, we had to go to the press to find some justice. Justice for employees who were demoted 3 months prior to their announced retirement. Justice for employees who were forced to leave a few years short of retirement. Justice for women in ITS that were humiliated and harassed until they were forced to quit a job they love. Justice for ‘good soldiers’ that have been with the system for nearly 30 years and were forced to retire against their will. Justice for people who have dedicated their entire careers to serving faculty, staff, and students. Justice for an individual like Earl Monsour, who had been on medical leave for months, and is not planning to return to work due to his medical condition, yet Maricopa is trying to terminate his position. This wasn’t about the people. This was about huge egos that blindsided one of the largest educational systems in the nation and ultimately led to the biggest security breach in the history of MCCCD.”

Maricopa ITS has lost nearly 50 percent of their IT staff. Some people were forced to retire early; others quit because of harassment, retaliation and fear in the workplace. Several left a few years short of retirement.

According to Mr. Corzo, “MCCCD failed to realize that it is all about the people. A long-time friend, mentor and ex-VC of ITS, Mr. Ronald Bleed, used to tell me: ‘Miguel, it is about the people.’”

The cost of losing the institutional knowledge is incalculable. Losing the reputation, one that you have spent a lifetime sacrificing for, is unacceptable to those who devoted their lives to the District. And good men like Miguel Corzo and Earl Monsour will fight to ensure it does not happen.

And good men, like Marty Gang, will do the right thing and try to make sure it cannot.

3 Comments on "MCCCD ignored employees warnings, security breached"

  1. Another serious problem at mccd was the lack of an Information Systems Auditor. The district’s auditors act as an independent consult to the Board. They have the authority to investigate and report on both management and process deficiencies. The previous IT auditor had a good understanding of the systems and was very effective but retired in 2004 and wasn’t replaced. Why? By 2003 Maricopa had squandered $40 million dollars on failed IT systems and was warned all along by the IT auditor of impending failure. They ignored his warnings. When he retired, rather than find a replacement with both the auditing skills and technical knowledge they dropped the position. So, Maricopa not only had no one responsible for security it also didn’t have a specialist auditor who could cut through the politics and advise management. Dr. Glasper each year gets the Board to renew his contract for another three years. This is just another management screw up on his watch. He’s made sure it will cost Maricopa a bundle to get rid of him. As for the Board, at Maricopa it’s a dysfunctional mess with endless racial political squabbles between the Latino and Black factions.

  2. Current MCCCD ITS Staff | March 4, 2014 at 4:02 pm |

    As someone who has been in MCCCD District Office ITS for many years, witnessed everything and still comes to work every day despite the horrendous working conditions. I will put my hand on a bible and say everything in this article accurately reflects past and current events. It is exactly true, and I doubt MCCCD will ever hold the proper employees or contractors responsible, politically it would destroy MCCCD.

  3. Current MCCCD ITS Staff | March 4, 2014 at 4:03 pm |

    In addition, thank you Mary Gang for coming forward. You are a true and good person.

Comments are closed.