2018-02: Prevention of Security Breach or Encryption of CCCApply Historical Apps

Request No.2018-02 
Date of RequestAugust 3, 2017 
RequesterTim Calhoon
Section / Page


Steering ApprovalAPPROVED
Steering Hearing DateAugust 30, 2017 
Proposed Change to Download FileNo 
Proposed Change to Residency LogicNo 
JIRA OPENAPPLY-4155 - Getting issue details... STATUS

Problem / Issue

We now have over 5 million applications in CCCApply and +20 million applications in the CCCApply Xap archive. (see attached) Based on the Legislature's estimate the cost of a breach of $25M CCCApply records could be upwards of 1/2 Billion Dollars if AB241 passes.

We will also need to think about how to handle OpenCCC accounts, but that may be tricky as so much is linked to the CCCID.

I would like to put a project on the road map to either delete old applications or completely encrypt and archive theminto Amazon Glacier.

I'll need you to discuss this with steering as we want to pick a cut off for what we have current for A/R research.  i.e. keep available applications for the last 3 years, etc.

If there is a breech, the state would provide credit monitoring.  In our case - would cost BIG BUCKS. 

Proposed Solution

SECURITY IS PARAMOUNT!  The safety and security of our students data is critical.  

Is there any way we can deep freeze older applications?  YES

What do you need from old applications for auditing purposes?  Full Application Data (via search screen, find and match + 

Some colleges get subpoenas to provide "everything" 

El Camino gives redacted rosters. Specific details what they must provide.

All of our data is stored in Amazon (Glacier) - heavily encrypted and long-term storage.  Takes time to decrypt and pull data out.  

Mitch suggests - Deep freeze with some mechanism to retrieve data within 24 hours.  Is 24 business operation hours acceptable?  YES  

This would be an automated process - the college provides the criteria and then AWS decrypts and gets in out of DEEP FREEZE. 

Questions:  How often would you need more data than 

How far back do we need to go?  Minimum of 3 years; no longer than 5 years.  Keep data queries fast.  Data set low.  Start with old Xap applications first

Matching Criteria:  What data is needed to match on?  First + Middle + Last + DOB + CCCID + Last 4 of SSN  - Steering consensus is Yes, this would be enough to match and find the information.  



Supporting Documentation

Example Text for a Security Breach Email Language

 Click here to expand...

*** This is not a monitored inbox. Please do not reply. If you have any questions regarding this incident or if you desire further information or assistance, please call toll-free 888-721-6305, Monday through Friday, 24 hours a day, except holidays.  For international callers outside of the United States, please call 1-503-520-4448 (some charges may apply). ***
Dear Valued Customer:

We are writing to you because of an incident involving unauthorized access to customer information associated with your hotel reservation(s). The privacy and protection of our customers’ information is a matter we take very seriously, and we recommend that you closely review the information provided in this letter for some steps that you may take to protect yourself against potential misuse of your information.
What Happened?
The Sabre Hospitality Solutions SynXis Central Reservations system (SHS reservation system) facilitates the booking of hotel reservations made by consumers through hotels, online travel agencies, and similar booking services. Following an examination of forensic evidence, on June 6, 2017, Sabre began notifying certain customers and partners that use or interact with the SHS reservation system that an unauthorized party gained access to account credentials that permitted unauthorized access to payment card information, as well as certain reservation information, for a subset of hotel reservations processed through the SHS reservation system.
The investigation determined that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016. The last access to payment card information was on March 9, 2017.

What Information Was Involved?
The unauthorized party was able to access payment card information for your hotel reservation(s), including cardholder name; card number; card expiration date; and, potentially, your card security code. The unauthorized party was also able, in some cases, to access certain information such as guest name, email, phone number, address, and other information. Information such as Social Security, passport, or driver’s license number was not accessed.

What We Are Doing
Sabre engaged a leading cybersecurity firm to support its investigation. Sabre also notified law enforcement and the payment card brands about this incident.

What You Can Do
You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports for any unauthorized activity. If you discover any suspicious or unusual activity on your accounts, be sure to report it immediately to your financial institutions, as major credit card companies have rules that restrict them from requiring you to pay for fraudulent charges that are timely reported.
In addition, you may contact the Federal Trade Commission (FTC) or law enforcement, such as your state attorney general, to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft. You can contact the FTC at:

Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
(877) IDTHEFT (438-4338)

If you find that your information has been misused, the FTC encourages you to file a complaint with the FTC and to take these additional steps: (1) close the accounts that you have confirmed or believe have been tampered with or opened fraudulently; and (2) file and keep a copy of a local police report as evidence of the identity theft crime.

Obtain Your Credit Report
You should also monitor your credit reports. You may periodically obtain credit reports from each nationwide credit reporting agency. If you discover inaccurate information or a fraudulent transaction on your credit report, you have the right to request that the credit reporting agency delete that information from your credit report file.
In addition, under federal law, you are entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting agencies. You may obtain a free copy of your credit report by going to www.AnnualCreditReport.com or by calling (877) 322-8228. You also may complete the Annual Credit Report Request Form available from the FTC at https://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You may also contact any of the three major credit reporting agencies to request a copy of your credit report.
Place a Fraud Alert or Security Freeze on Your Credit Report File
In addition, you may obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you, but it also may delay your ability to obtain credit. If you suspect you may be a victim of identity theft, you may place a fraud alert in your file by calling just one of the three nationwide credit reporting agencies listed below. As soon as that agency processes your fraud alert, it will notify the other two agencies, which then must also place fraud alerts in your file. An initial fraud alert will last 90 days. An extended alert stays on your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report.
Also, you can contact the nationwide credit reporting agencies regarding if and how you may place a security freeze on your credit report. A security freeze prohibits a credit reporting agency from releasing information from your credit report without your prior written authorization, which makes it more difficult for unauthorized parties to open new accounts in your name. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. The credit reporting agencies have 3 business days after receiving a request to place a security freeze on a consumer’s credit report. You may be charged to place or lift a security freeze. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company.
You may contact the nationwide credit reporting agencies at:

P.O. Box 105788
Atlanta, GA 30348
(800) 525-6285

P.O. Box 9554
Allen, TX 75013
(888) 397-3742

P.O. Box 2000
Chester, PA 19016
(800) 680-7289

Please see the following page for certain state-specific information.
For More Information
We apologize for any inconvenience caused by this incident. If you have any questions regarding this incident or if you desire further information or assistance, please do not hesitate to contact us toll-free at 888-721-6305, Monday throughFriday, 24 hours a day. For international callers outside the United States, please call 503-520-4448 (some charges may apply).  To view notice information online, please visit www.sabreconsumernotice.com.
Pacific Hospitality Group

You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity
theft. This office can be reached at:
Office of the Attorney General of Iowa
Hoover State Office Building
1305 E. Walnut Street
Des Moines, IA 50319
(515) 281-5164
You may obtain information about avoiding identity theft from the Maryland Attorney General’s Office. This office
can be reached at:
Office of the Attorney General
Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
(888) 743-0023
You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know
what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct
or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit
https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.
In Addition, New Mexico Consumers Have the Right to Obtain a Security Freeze or Submit a Declaration of Removal
You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. To remove the freeze or to provide authorization for the temporary release of your credit report, you must contact the consumer reporting agency and provide all of the following:
1. the  unique  personal  identification number,  password,  or  similar device provided  by  the  consumer reporting agency;
2. proper identification to verify your identity;
3. information regarding the third party or parties who are to receive the credit report or the period of time for which the credit report may be released to users of the credit report; and
4. payment of a fee, if applicable.
A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request. As of September 1, 2008, a consumer reporting agency shall comply with the request within fifteen minutes of receiving the request by a secure electronic method or by telephone.
A security freeze does not apply in all circumstances, such as where you have an existing account relationship and a copy of your credit report is requested by your existing creditor or its agents for certain types of account review, collection, fraud control, or similar activities; for use in setting or adjusting an insurance rate or claim or insurance underwriting; for certain governmental purposes; and for purposes of prescreening as defined in the federal Fair Credit Reporting Act.
If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, with enough advance notice before you apply for new credit for the lifting to take effect. You should contact a consumer reporting agency and request it to lift the freeze at least three business days before applying. As of September 1, 2008, if you contact a consumer reporting agency by a secure electronic method or by telephone, the consumer reporting agency should lift the freeze within fifteen minutes. You have a right to bring a civil action against a consumer reporting agency that violates your rights under the Fair Credit Reporting and Identity Security Act.
To place a security freeze on your credit report, you must send a request to each of the three major consumer reporting agencies: Equifax, Experian, and TransUnion. These agencies using the contact information provided in the enclosed letter.
You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office. This
office can be reached at:
North Carolina Department of Justice
Attorney General’s Office
9001 Mail Service Center
Raleigh, NC 27699-9001
(877) 566-7226
You may obtain information about preventing identity theft from the Oregon Attorney General’s Office. This office
can be reached at:
Oregon Department of Justice
1162 Court Street NE
Salem, OR 97301-4096
(503) 378-4400