In one of the largest College/Education data breaches, Maricopa Community college is notifying almost 2.5 million current and former students, vendors, employees, and apparently people who never attended. Information breached includes Social Security numbers and bank account information. The Office of Inadequate Security (www.databreaches.net) has a great write up about the breach here. But the real story here is the breach response and notification – while reading the comments several things have stood out.
Credit Monitoring Service or Scam?
The college has partnered with Kroll and is offering free credit monitoring to those effected through a service called ID Integrity. Several people have voiced concern that this is a scam (its not) because the website seems “scammy” and the site has been down (as of this post the site is up by acting weird). Kroll, or ID Integrity, hasn’t done itself any favors by offering up a service through a poorly constructed website and it’s lack of up-time doesn’t speak well for its legitimacy. Peoples scam concerns are understandable.
But I never attended.
“I got this letter as well today in the mail! I am not sure if I should trust this letter or not. I attended college in Northern AZ at a private university for aeronautics. This was in Yavapai County and NOT in Maricopa County. Something is really strange here. Please help!”
“My girlfriend and 90 yr old grandmother also got these letters and niether have ever registered at any college let alone one affiliated with MCC. Hmmmm”
There are several legitimate reasons a college might receive and keep information about individuals who may never attend. Where the school erred was not addressing this head on. First it needed to explain to those who might receive letter but never attended how it came to legitimately receive a person’s information. This is a simple case of the college needing to explain itself in simple and straight forward terms.
The other piece is fixing a data retention policy that allows it to keep SSN and bank account information for individuals who haven’t had, or never had, business with the college in over 10-20-30 years!
You can read the whole article and comments here: Maricopa Community Colleges notifies 2.5M after data security breach (update 1)