Maricopa County Community College District (MCCCD) is making the news again… for the same data breach (yet again). The site azcentral.com is reporting that MCCCD’s costs related to last year’s data breach has gone up yet once more, by another $2.3 million. The college district has spent nearly $20 million since the data breach was revealed.
This incident shows how bad things can get when one decides to just ignore the risks of a data breach (like when companies opt to face the consequences of a low-level risk event instead of using laptop encryption because, hey, not encrypting is free).
A Bad Move
One of the most damming aspects of the MCCCD data breach is that they had experienced a previous data breach in 2011. As a result of that breach, MCCCD’s IT department had predicted with high precision what could happen in the future if security weaknesses were not addressed.
These were not addressed and, lo and behold, they had a massive data breach in 2013. So, is it any wonder that MCCCD is now spending $20 million (and possibly more) to clean up after this mess?
Now, MCCCD could point out that they are the victim, and they’d be right. But, they’re also the perpetrator. Let me compare it to something else. Let’s say we’re talking about banks and money.
There is a bank. Their security personnel points out that a four-year-old could toddle in and steal the money in the bank’s vaults, and recommends fixing the problem. The bank’s officers decide not to solve the problem. Two years later, someone steals money from the bank’s vaults, following the exact method previously described by security personnel. Is the bank a victim? Yes. Did they deserve it? No. Did you see it coming from a mile away? Yes. Does it feel like the bank’s a victim? Of course not.
To MCCCD’s credit, they didn’t play the victim card. But plenty of other companies and organizations have under the same exact conditions (and more will most probably do so in the future).
Things are not over for MCCCD. While it’s a long shot, the groups suing MCCCD could come out on top in the courts. For instance, what’s to stop the hackers who stole MCCCD’s data from suddenly hawking it in the underground black market? Then, the students who were affected by the data breach start connecting the dots, and boom! you’ve got a viable case on your hands.
And, even if this were to not happen, there’s another aspect of MCCCD’s data breach that should be worrying the college district: namely, the fact that they ignored recommendations to strengthen their data security.
The lesson is a familiar refrain: an ounce of prevention is worth a pound of cure.
Related Articles and Sites: