UMD Breach Exposes Confidential Data on more than 300k
In a notice posted on the website of The University of Maryland, the University acknowledged a data breach effecting more than 300,000 personal records for faculty, staff and students who have received identification cards at the University of Maryland. The breach occurred about 4 a.m. Tuesday, when an outside source gained access to a secure records database that holds information dating to 1998.
UMD Data Breach: Update 2/21/14
Communication from UMD VP of IT Brian Voss:
On Tuesday evening, we announced that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information. Since that time, we have been working around the clock to ensure the breach has been contained and that other data systems are protected.
I would like to reiterate that the data breach was restricted to name, Social Security number, date of birth, and University identification number. No financial, academic, health or contact information was accessed.
To help protect your identity, we are working to offer a free, one-year membership of Experian’s ProtectMyID Alert. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.
Instructions on how to register for this service will be distributed via email and via update to this site by 10 am EST.
Our investigation into the cyber-attack continues, and the University of Maryland Police Department is working with the U.S. Secret Service on this matter. We are also partnering with MITRE, a leading systems engineering company specializing in cybersecurity, to provide additional forensic analysis on how this attack happened, and how to prevent such attacks in the future.
We understand this breach is causing inconvenience, concern and consternation. Please know that we are doing everything possible to ensure the protection of your personal information as we move forward.
Vice President, Information Technology
“The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected. Voss said the security breach appears to be in contrast with typical attacks, in which “someone left the door open,” creating an easy opportunity for any hacker.
“That’s not what happened here,” Voss said. “There’s no open door. These people picked through several locks to get to this data.”
UMD Data Breach
Letter from President Loh
February 19, 2014
Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):
Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.
I am truly sorry. Computer and data security are a very high priority of our University.
A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.
With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.
The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.
University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.
All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at [email protected].
Universities are a focus in today’s global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.
Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.
Wallace D. Loh
President, University of Maryland
—We have been notified by Brian Voss, Vice President of Information Technology, that a computer security incident at the University of Maryland exposed approximately 309,079 records containing personal information.
—That database contained 309,079 records of faculty, staff, students and affiliated personnel from College Park and Shady Grove campuses who have been issued a University ID since 1998.
—The records included name, Social Security number, date of birth, and University identification number. No financial, academic, contact, or health information was compromised.
—The cause of the security breach is currently under investigation by state and federal law enforcement authorities, as well as forensic computer investigators.
—Within 24 hours, the University formed an investigative task force that includes law enforcement, IT leadership, and computer forensic investigators. We are also making every effort to notify the campus community and those who were previously affiliated with the university as students, faculty or staff. In addition, the University is offering one year of free credit monitoring to all who were affected.
—We recommend that you be mindful of these general tips:
- Do not share personal information over the phone, email or text. Instead, ask for a call-back number so you can verify with whom you are communicating.
- Delete texts immediately from unfamiliar numbers or names because of the risk of malware and other viruses.
- Never click links within emails that you do not recognize. Be cautious when responding to emails that direct you to suspicious websites.
—Additional information will be posted on the University homepage. A special hotline has also been established if you have questions about this incident. You can call 301.405.4440 or email us at [email protected].