MCCCD data breach saga continues, costs mount

It has been more than a year now since the FBI supposedly alerted the Maricopa County Community College District that there was a possibility a hacker had broken into its system and accessed student and employee information. According to the District, over 2.5 million notifications were sent to students and employees on April 29, 2013.

Since April 2013, quite a bit has happened on some fronts, and very little on others.

MCCCD data breach history

The District sent out notifications due to a breach in January 2011. Little was done to address the concerns raised by that breach. Many believe that the failure to react appropriately by District’s administration may have resulted in the most recent vulnerability in April 2013.

Documents show that in 2011, an incident was reported, an investigation was conducted, decisions were made, and a plan was formed to protect the information of students and employees. The problem seems to be that the plan was never followed through, leaving information that the District was custodian of, vulnerable to more attacks.

The District has stated publicly that the fault lies with employees who did not communicate the extent and severity of the 2011 incident to the senior executives. However, other documents have surfaced that show these same employees repeatedly conveyed the delicate information, and the need for immediate action, to the leadership who claims to have been kept in the dark.

According to sources, the Vice Chancellor of Information Technology (VCIT) received multiple warnings in 2011 and 2012 about the condition of the web servers, the risks associated with the dangerous situation and the need to take corrective actions immediately.

Supporters of the District are wondering why these actions were not taken. The District will not provide information as to why a hacked server was not replaced and why was vulnerable programming code allowed to continue to reside on their system.

Questions remain as to whether the replacing the server was a lower priority than other pet projects, or if the vice-chancellor of IT was he getting conflicting information from other staff members about the actual risks involved if nothing was done.

In the spring of 2012 multiple IT employees brought forward a complaint to the Chancellor, specifically outlining many allegations against the VCIT. The complaint warned the Chancellor of many exposures to the District due to gross mismanagement and waste of taxpayer funds in the IT organization. It identified issues such as favoritism and discrimination on the part on the VCIT, stating that the changes made by him had resulted in severe financial and operational risks to the District. The employee complaints were handed off to the Vice Chancellor of Human Resources (VCHR), who then assigned the Manager of EEO to investigate. Legal Counsel and others were involved in the communications. The Manager of EEO soon learned that the issues were extensive and the issues critical, and recommended an objective, external investigation.

In the meantime, alarmed citizens addressed the Chancellor and the elected Governing Board members during Board meetings, expressing concern over the apparent mismanagement issues in IT and the failure of the Chancellor, and even the Governing Board, to address them. They requested the Governing Board conduct an investigation.

Employees in IT were resigning or retiring early, at an alarming rate. Loss of skills and experience had a major impact on IT operations, including security. One employee, who resigned just a couple of years short of retirement, corresponded with the Chancellor and Governing Board, citing scapegoating, a hostile work environment, and many other negative conditions existing in IT. She requested an investigation.

Presentations were made to the Board by the Presidents of the Management, Administrative and Technology (MAT) and Professional Staff Association (PSA) groups of the District, citing major problems in IT, and asking for an investigation.

The District Ombudsperson, after many interviews with concerned employees, asked the Chancellor to pursue an outside investigation into the matters surrounding IT. Tensions mounted throughout 2012. And so did risks and costs. People wanted someone to take an objective look at the problems. It was unanimous – except for the Chancellor and Governing Board apparently – that an investigation was needed.

Many communications were sent to the Chancellor by frustrated IT employees throughout 2012. It resulted in a Grievance being filed by several IT employees in October 2012, listing many specific complaints that had not been addressed, but created major risks to the District, taxpayers and students. These issues included the web security, and failure of the VCIT to address them. The Grievance was delivered to the Chancellor by the presidents of the MAT and PSA groups. It has since been given to the Governing Board.

An investigation was finally begun in the fall of 2012 by a law firm hired by the District. Although the employees were assured by the Chancellor that all of their concerns would be investigated, the investigator reported that it was limited to only EEO discrimination allegations. They were the only items that were addressed. To date (April 2014), we’ve been told that the Chancellor still has not responded to the employees’ Grievance. That raises another question, how reliable can an investigation be if the person(s) commissioning it are some of the people who are subject to the investigation?

Through 2012 there were major red flags raised by employees, citizens and former employees, but apparently no action was taken by District leadership or the Governing Board. The District asserts that the executive leadership did not take action prior to April 2013 because they were not aware of the web security problems and risks; however there is too much evidence to the contrary

In April 29, 2013 the FBI reportedly contacted the District, alerting them to a possible security breach by a hacker. The District refuses to say what, if anything, they did in response. According to Board meeting documents, the Interim CIO did not even know about it until the week of May 13, 2013. What the District did in the weeks immediately following the FBI contact is unknown.

Costs of failure mount

The District hired the law firm of Wilson Elser. Wilson Elser has no offices in Arizona. Wilson Elser brought in Kroll Solutions, a security consulting firm; as a result, the District has spent millions of dollars in outside contracts.

Kroll investigated the incident, and finds that there may be a link to activities (or lack of) in 2011. However, it is not until August 2013 that Kroll asks two key IT employees from the 2011 incident any questions. By this time, according to the two employees, Kroll had already formulated their story, were not listening to anything they had to say and were simply making accusations against them. Although many documents were provided to Kroll and Wilson Elser during and subsequent to the August “interviews,” none of the allegations changed.

In November 2013, the two employees were sent formal notifications that they were being given one day to appear before the Kroll investigator and the Interim VCHR to respond to a host of allegations against them. They responded according, again bringing supporting documentation. They even provided written testimony from a former employee who was integrally involved in the 2011 incident. Unfortunately, Kroll and the Interim VCHR did not even acknowledge the documentation or testimony. Sounds like the scapegoating that the IT employees alleged way back in 2012. And what a coincidence, the day after the employees appeared before Kroll and the Interim VCHR, at the Board meeting the Chancellor’s contract was extended. And the following day, the “breach” was made public, blaming employees in IT for all of it. They stated that District leadership was never told. Too many documents have come forward since then to challenge that statement.

As a result, in January of 2014, the two employees received notification that they were being recommended for termination, based on the exact same allegations that were previously made. Since then, the public has been witness to many things. The District has refused to release information that has been legally requested per the Public Records Request laws of Arizona by many newspapers, news channels, law firms and individuals. At first they stated it was because there was disciplinary action pending against employees, and then they claimed “it would place our security at risk.”

Governing Board has information

As for the Governing Board, they have managed to stay at arm’s length until now. The employees have forwarded to them the same Grievance, documents and information that was supplied to the Chancellor. In addition, the many concerns were raised by the public directly to them over the past couple of years. They seem to continue to ignore the issues.

Recently, two Board members came forward and expressed their concerns over how they have been treated and advised by Wilson Elser. These two Board members raised the issues with Wilson Elser and voted against extending their $2.7 million contract until December 31, 2014. They lost in a 3-2 vote.