College Data Breach Triples in Cost to Nearly $20 Million; Tuition Raised
What’s a data breach cost these days? If you’re Arizona-based Maricopa County Community College (MCCCD), it could cost you up to $19.7 million. In the wake of a data breach from early 2013, the college had initially anticipated spending up to $7 million total. A year later, that number has nearly tripled to take into account the countless fees that have added up to the gross amount of money spent mitigating the fallout.
Where is all of this money going to? The MCCD governing board approved $2.3 million in lawyer’s fees and $300k for records management. The other $17.1 million was spent on consulting, repairs, more lawyers, notification and credit monitoring. According to ESecurityPlanet.com, two class action lawsuits were filed in April, seeking $2.5k for each affected individual (2.5 million total, with claims that the college took too long to disclose the breach/notify people - over 6 months).
The story of the MCCCD breach is a long one, dating back to 2011 when an initial breach of a server led to the exposure of about 400 records. Specifics of the breach weren’t made publicly available, but according to interviews with current and former employees, the compromised server was never replaced, which led directly to the 2013 breach of 2.5 million records.
Why wasn’t the hacked server replaced promptly? If you ask a few key employees in the IT department, they were ignored by the vice chancellor of IT when they tried to alert him of the dangers of running on a compromised server, as well as their requests to take the server offline for repairs. If you ask district officials, they’ll say the breach happened due to obstruction of information and failure to repair the server by those very employees, as reported by AZCentral.com.
The stories of why may vary, but the point remains, a once-compromised server led to yet another breach of much more massive scale two years later. In April of last year, the FBI notified MCCCD that 14 of their databases located on their web servers were listed for sale on a website. Data potentially exposed included employees’ SSNs, driver’s license numbers and bank account information, as well as students’ academic records.
While that was the extent of information available about the investigation, the exorbitant subsequent costs remain as fact, not to mention the repercussions felt by the students - in March, AZCentral.com reported that the college district governing board would hear a proposal on increasing tuition by $5 per credit in order to pay for ‘fraud prevention and mitigation,’ which may or may not be related to the data breach. My guess is the recently approved budget in May might have something to do with the tuition increase proposal in March, but that’s just speculation.
What kind of IT security tools did they implement as part of their remediation steps? In a consumer alert listed on the New Hampshire Department of Justice website, MCCCD installed new hardware and software to create a more secure web environment, including a Palo Alto web application firewall to protect the MCCCD frontend. They also installed and configured an Oracle Database Firewall in order to monitor database communications with their student information system, as well as tools to block certain IP addresses.
Oddly enough, there’s no word of the college beefing up their authentication security, which is typically the first step organizations take after a data breach. Although there’s no details on whether or not the server was compromised via exploited credentials, deploying two-factor authentication can help protect user or administrator accounts that only protected by a password, as well as any user information that may have been leaked. Find out more about which major organizations implement two-factor after a breach in Turning to Two-Factor After Password Exploits.
As is shown by the timeline of the consequences of poor security spanning more than 3 years, data breaches aren’t cheap or isolated, and can have serious effects on both consumers (in this case, students) as well as organizations. By investing in the right security tools, a data breach of this magnitude could have been potentially avoided.