Nobody said bouncing back after a breach was easy. But the news that one breach is costing an Arizona university around $20 million is a harsh wakeup call to the difficultly of recovering from an attack.
Class-Action Complaint, Records Management Costs Contribute to Mounting Tab
As with most educational institutions, the Maricopa Community College District is not exactly a wellspring of disposable income. But, according to The Republic, that doesn’t change the fact that the school district is having to shell out almost $20 million to recover from a malicious infringement that happened last year.
The breach, and its fallout, provides a case study in what not to do when such an incident occurs.
According to a separate Republic piece, the actual infringement happened more than a year ago. In late April 2013, the FBI alerted the MCCD that it had discovered a third-party website offering data from the MCCD’s internal system for sale. What this clearly indicated is that a monetarily focused malicious attack had happened.
After hearing the news from the FBI, the MCCD quickly shut down its website and kept it down for several days as it conducted an internal investigation.
Best practices suggest that the district would also notify members of the MCCD community — whose private information was contained on the site — about the extremely high probability of a breach. But instead of offering transparency, the district waited a full seven months before reaching out to the approximately 2.4 million current and former students and employees whose personal information — including academic records, Social Security numbers and even bank account information — was potentially compromised.
MDDC spokesman Tom Gariepy provided the following reasoning in defending why his district held off on informing potentially affected parties: “It would have been nice to say something earlier, but we couldn’t give anyone information until we could say it with certainty, even if it’s not conclusive.”
But the fact that the MCCD waited such a long time is bad form no matter how you spin it.
MCCD Now Dealing with the Consequences of a Failed Breach Response
Recovering from a breach is hard even for the enterprise that does everything right, including making an announcement immediately upon discovery. But by acting evasively and providing excuses instead of a suitable display of contrition, the MCCD dug itself a deeper hole. It is now paying the price.
In April 2013, a class-action complaint was filed against the district for what the plaintiffs deemed was the MCCD’s “failure to adequately protect the confidential, private personal information of its current and former students and applicants.”
In addition to that complaint, the plaintiffs said that the district “deliberately misled and deceived them about what had happened and the true nature of the risks.”
For its part, the MCCD will be paying for these mistakes for a long time. The legal fees alone stemming from the incident stand at around $2.3 million, and the overall recovery price tag of $20 million will likely have a negative impact on other MCCD budgetary areas.