A privacy watchdog filed a complaint with the Federal Trade Commission against a community college district in Arizona that lost the personal data of 2.5 million students and employees in two data breaches.
The Electronic Privacy Information Center (EPIC) asked the FTC in its complaint Monday to bring an enforcement action in federal district court against the Maricopa County Community College District (MCCCD) for violating the “Safeguards Rule,” which requires customer data to be secured.
EPIC, a nonprofit organization based in Washington, is also seeking that the MCCCD obtain an independent assessment to ensure that it is complying with the Safeguards Rule.
MCCCD’s troubles are notable as the organization was warned after a small data breach affecting 400 people in January 2011 that it needed to shore up its systems. The FBI informed it at the time that information from its databases had turned up for sale on the Internet.
Arizona’s Auditor General advised in November 2011 that the organization needed to strengthen access controls after finding terminated employees still had active user accounts on its network.
A subsequent audit in November 2012 found the organization still had not adequately limited access to its systems, according to EPIC’s complaint.
In April 2013, the FBI found 14 of MCCCD’s database for sale on a website, with data including names, addresses, Social Security Numbers, birth dates and financial aid information. The breach affected 2.49 million current and former students, employees and vendors.
More than 265,000 students attend a network of 10 colleges, two skill centers and other education centers within MCCCD’s purview in Maricopa County in Arizona. The organization is responsible for coordinating and dispersing financial aid.