PHOENIX - Could last year's security breach involving the Maricopa Community Colleges have been prevented?
Two employees say yes.
Miguel Corzo and Earl Monsour were Directors of the Strategic Information Technologies for the Maricopa County Community College District.
Corzo is on administrative leave. Monsour is on leave because of a disability.
Both men say they were there when an internet site was found showing Maricopa Community Colleges information for sale.
It involved Social Security numbers and other information of about 250 employees.
They say an internal and external investigation took place.
While it didn't appear information was misused, Corzo and Monsour say they knew the servers were vulnerable to an attack and something had to be done.
"I continually informed the Vice Chancellor. I would routinely update him on what I thought was the lack of progress being made in taking corrective action on the servers," Monsour says.
The solution, they thought, would be to completely remove the servers that had been compromised and rebuild them from scratch.
I asked them what steps were then taken.
"Very few," says Corzo. "Mostly there were plans developed, to take certain steps and very few if any of those steps were taken."
Both Corzo and Monsour say they repeatedly sent emails urging action to be taken. They say they even filed a grievance citing a lack of progress on fixing the security problems and other issues in the department.
Then it happened again.
In November of 2013, the Maricopa Community Colleges sent letters to more than two million people saying their information may have been exposed because of another security breach earlier in the year.
The men say the district's inaction involving the 2011 breach is one reason it happened again in 2013.
But the district blames employees.
District lawyers sent letters to Attorney General's in other states warning their residents of the 2013 breach.
In those letters, lawyers acknowledge the 2011 security issue. They say there was an internal investigation, and that an outside security consultant was hired.
But the letter claims that certain employees withheld information and obstructed the investigation. And they say employee actions led to what happened in 2013.
Further, the letter says management did not even know about the 2011 breach, until the 2013 incident was being investigated.
To that, Monsour says "Bull. It's bull. All of that is just a fabrication. All of the information was given to the Vice Chancellor in that period of time."
As proof, Corzo and Monsour show an email they say was sent throughout the college district.
It was in March 2011, just after the first breach and it was sent by a vice chancellor mentioning an "internet site" and "personnel data for sale."
In a statement, MCCCD spokesperson Tom Gariepy says:
"Maricopa Community Colleges wish we could respond in detail to those statements, but the matters they refer to are part of disciplinary actions against several employees that are now underway. To protect the procedural and privacy rights of those employees, the disciplinary actions are private at this point, and we cannot talk about any public accusations made by two of the employees. It's possible that we can provide more information at the conclusion of the process.
As for questions about matters never being brought to senior officials, our public report to the Attorneys General provides the answer to your question, to the extent that it can be presented to the public before pending personnel matters are resolved.
In addition, we can tell you that managers act on the information they have, and the District has done so. There is no question that before the 2013 incident, District IT needed additional resources to meet staffing levels, upgrade skills, replace aging equipment and software, and improve the quality of administrative programs and web-based services.
In February, 2013, our CIO presented comprehensive information to the Governing Board calling attention to these needs, and the Governing Board unanimously supported his resource request. We cannot say what the Stach and Liu report contained, but if it had been presented directly to senior management it would have altered priorities and planning significantly. "