PHOENIX (CN) - Maricopa County Community College District waited seven months to inform 2.5 million students, graduates, employees and vendors that its databases had been breached and their personal information made available for sale online, a class action claims in state court.
Lead plaintiff Jason Liebich, a current student at Phoenix College, sued the college district in Maricopa County Court.
Liebich claims the FBI warned the Maricopa County Community College District (MCCCD) in January 2011 that a number of its databases had been breached and made available for sale on the Internet.
The district's Information Technology Services employees also became aware of the security breach in January 2011, and repeatedly reported their findings to Vice Chancellor George Kahkedjian, the lawsuit claims.
But the district failed to make any changes to secure the databases, resulting in the breach of 14 databases on MCCCD servers in April 2013, according to the complaint.
"To make matters worse, MCCCD failed to promptly disclose the data breach and failed to notify victims of the data breach in a reasonable or timely manner," Liebich says. "MCCCD waited over six months, until Nov. 27, 2013, to inform its current and former students, employees, and vendors that the data system was breached and their personally identifiable information may have been sold and exploited."
In a letter sent to victims of the breach, the district claimed it "recently discovered" the security breach, and offered one year of credit monitoring to victims, according to the lawsuit.
The district operates 10 community colleges and two skill centers in Maricopa County that employ more than 9,500 people and serve 265,000 students, according to the complaint.
Due to the data breaches, 2.5 million former and current students, employees and vendors have had their "names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, financial and bank account information, demographical information, information related to employment, education, and training, benefits information, academic information, financial aid information, and Federal Employer Identification Numbers" exposed on the Internet, making them vulnerable to identity fraud, the class claims.
According to the lawsuit, MCCCD is now "falsely advising class members that no data breach had occurred, including current students who were never informed (in writing or otherwise) that a data incursion had occurred."
Liebich says he was informed by the district that his personal information was included in the breach and that he would receive a letter of notification, but he never did. In 2013, he found fraudulent charges on his debit card, which "could have been obtained as a result of the MCCCD breach."
He seeks class certification, compensatory damages, credit monitoring, credit restoration, and punitive damages for breach of contract and negligence. He is represented by Robert Carey with Hagens Berman Sobol Shapiro in Phoenix.