MCCCD IT Employees: 'District knew about security concerns' - WFXG FOX54 Augusta - Your News One Hour Earlier

ONLY ON CBS 5

MCCCD IT Employees: 'District knew about security concerns'

Posted: Updated:
FILE PHOTO FILE PHOTO
PHOENIX (CBS5) -

Two Maricopa County Community Colleges Information and Technology Services employees say the district knew about security vulnerabilities years before a 2013 server breach that exposed millions of pieces of personal data.

In late November 2013, the district announced nearly 2.5 million students, employees and suppliers of its colleges may have had their personal information exposed without authorization.

In a statement at that time, MCCCD Chancellor Rufus Glasper said, "On behalf of the district, I deeply regret that this occurred and am leading a thorough response designed to prevent this from happening again. We are examining every aspect of our IT operations, and the changes underway are making us stronger system-wide."

However, two ITS employees have come forth with documents they say show the district knew about security problems and chose to ignore the issues.

"In late January of 2011, one of our employees had been searching the web and found Maricopa Community Colleges out there. Someone reportedly had our information for sale," said Earl Monsour. At the time Monsour was the Director of Strategic Information Technologies at Maricopa County Community Colleges.

"There were actually viruses on our web servers," he continued.

Miguel Corzo, another Director of Strategic Information Technologies, made this analogy about the 2011 breach:

"It is like having someone that you know come into your house to try to steal something from your home. Then (you) come back into your house and find out that nothing was missing. However, you knew someone was there and somebody had the potential to cause damage," Corzo said.

Both men say they were assigned to fix the problem discovered in January 2011.

"What did both of you do?" asked CBS 5's Greg Argos.

"My job was to report to the Vice Chancellor the status of the information. I did that. We continually told the Vice Chancellor what was happening," said Monsour.

George Kahkedjian is the Vice Chancellor of ITS for MCCCD. Monsour said he delivered an internal report, titled 'ITS Oversight Report' to Kahkedjian in November of 2011 that discussed the security issues and stated the server had been hacked.

"In November of 2011, I created an oversight report that stated there had been no progress. (The server) was still a risk. It was a high risk and it could be critical to Maricopa (County Community Colleges)," Monsour said.

"And this was given to the department head?" asked CBS 5's Greg Argos.

"It was given to the Vice Chancellor," responded Monsour.

"So he had this in his hands?" asked Argos.

"He had that in November of 2011. But prior to that he had been told many times (about the security problems)," said Monsour.

"In the beginning of 2011, the MCCCD web site was compromised by hackers. With thoughtful attention and expeditious response, ITS was able to mitigate the damage and isolate the numbers impacted, with the assistance of a security firm," the report, provided to CBS 5 News by Monsour and Corzo, reads.

"After 9-10 months, none of the agreed upon next steps has been accomplished. We are still running on the compromised server," it continues.

The following year, on Oct. 24, 2012, Monsour and Corzo say they submitted a formal grievance to the MCCCD Chancellor, Rufus Glasper, as well as Vice Chancellor Kahkedjian. The grievance mentions the 2011 ITS Oversight Report as well as other problems faced by employees in the ITS department.

"Most of the recommendations were ignored by George Kahkedjian," the grievance reads.

The grievance was signed by Monsour and Corzo as well as four other ITS employees. CBS 5 News has contacted a current ITS employee who confirmed the validity of the grievance.

That employee also confirmed Kahkedjian had sat in on multiple meetings regarding the 2011 breach that same year, though the employee could not confirm whether Kahkedjian had received the November 2011 ITS Oversight Report.

Both Monsour and Corzo believe the 2013 breach which became public may be linked to the original breach in 2011.

"It may be the exact same situation that existed in 2011 that hasn't been resolved," said Monsour.

"We've followed every single process that there is to follow in Maricopa (County Community Colleges). We didn't skip a single one," explained Corzo, referring to the procedures he took after the 2011 incident.

Both men are now facing disciplinary action, and possible termination by the district.

"The district said they didn't do anything (to fix the security issues)," said Attorney Richard Galvan, who is representing both Monsour and Corzo.

"That's just idiotic because there are so many documents out there that say the contrary," Galvan continued.

CBS 5 reached out multiple times to Maricopa County Community Colleges, requesting confirmation MCCCD received the documents provided by Monsour and Corzo, but spokesperson Tom Gariepy claimed our questions could not be answered since this case involves a personnel issue. CBS 5 News has since submitted formal Arizona Public Records requests to obtain the documents.

MCCCD's full statement reads as follows:

"The Maricopa Community Colleges cannot respond publicly to these allegations. Based on the findings of an independent professional investigator, MCCCD initiated disciplinary action against several employees. Before action was recommended, each employee was afforded an opportunity to respond to the findings with additional information and perspective. Each employee requested and is entitled to a hearing before a final decision is made, and each has requested such a hearing. Advocates for some employees have attempted to make these personnel matters into public political issues: they have requested that the board stop the hearing process for these employees. However, MCCCD owes all affected employees a decision that is not influenced by publicity and politics. We cannot respond publicly to the allegations made by the advocates. The truth or falsity of those allegations will be tested in the hearing process, where all the evidence can be considered in context by an independent tribunal."

A public board meeting is scheduled for Feb. 25 at 6:30 p.m.

Copyright 2014 CBS 5 (KPHO Broadcasting Corporation). All rights reserved.

Powered by WorldNow