A US school data breach that affected millions of individuals has ended up costing the education system millions of dollars more.
The Arizona school district – which has about 265,000 students enrolled in courses annually in 10 community colleges – is notifying nearly 2.5 million students, former students, employees and vendors that hackers may have compromised their personal information in a data breach.
“The distinction I need to make is that we don't know if anyone ever came in and either looked at this data or took it for whatever purposes,” Tom Gariepy, an Maricopa County Community College District (MCCCD) spokesman, told SCMagazine.com on Monday. “What we do know is that the data was vulnerable to that, but there is no evidence that anyone ever did it.”
The sensitive data includes a mixed bag of names, dates of birth, driver's license numbers, student information, Social Security numbers and banking information.
The district was alerted of the attack on April 29 when the Federal Bureau of Investigation (FBI) notified school officials that sensitive information from the district's computer networks was being offered for sale online.
A weak computer defense infrastructure is how attackers may have been able to get into the district computers and steal the sensitive information, according to Gariepy, who explained that certain district employees with IT responsibilities failed to meet standards and expectations and that appropriate disciplinary actions are being taken as a result.
Up to $7 million was approved on Tuesday by the district's governing board to be spent on notifying affected individuals, maintaining a call center and offering a free year of credit monitoring and identity theft protection services, according to Gariepy, who indicated that there have been no reports so far of the information being used inappropriately.
Firewalls, real-time state of the art monitoring and additional security measures will be implemented on top of the $7 million, Gariepy added, explaining the district is carrying out a comprehensive review of all policies and procedures.
“One reason it took as long as it did is because there are multiple systems and servers and there's millions of accounts,” Gariepy said, adding the investigation is ongoing. “It took a long time to review. Obviously there's a great deal of information we still can't talk about. ”