Security

University of Maryland: 309,079 Records Compromised

A closer look at the latest security breach in higher education.

Twitter

Jimmy is a writer and editor who publishes a weekly newsletter. You can find him on Twitter.

The University of Maryland is the latest organization to suffer a massive data breach. On Feb. 18, 2014, hackers were able to access a database, compromising more than 309,000 university records.

It’s not surprising that hackers are after university-owned data, considering how large some of these databases are. To address the breach and answer questions from students and faculty, the university has set up a page at umd.edu/datasecurity. Here are some of the facts from the site:

How many files were breached?

We have been notified by Brian Voss, Vice President of Information Technology, that a data breach at the University of Maryland exposed approximately 309,079 records containing personal information.

Who was affected by the breach?

That database contained 309,079 records of faculty, staff, students and affiliated personnel from College Park and Shady Grove campuses who have been issued a University ID. Specifically, the breach includes:

All current faculty, staff and students; and

All faculty, staff and students who were in possession of a University ID anytime between 1998 and present.

If your affiliation with the university ended prior to 1998, our investigation has determined that your records have been purged and are not affected.

What kind of data was accessed?

The records included name, Social Security number, date of birth, and University identification number. No financial, academic, contact, or health information was compromised.

How did it occur?

The cause of the security breach is currently under investigation by the University of Maryland Police Department, the U.S. Secret Service and federal law enforcement authorities, as well as forensic computer investigators.

How is the university responding?

Within 24 hours, the University formed an investigative task force that includes law enforcement, IT leadership, and computer forensic investigators. We are making every effort to notify the campus community and those who were previously affiliated with the university as students, faculty or staff.

We are also partnering with MITRE, a leading systems engineering company specializing in cybersecurity, to provide additional forensic analysis on how this attack happened and how to prevent such attacks in the future.

In addition, the University is offering one year of free credit monitoring to all who were affected.

Students and alumni vented their frustration on Twitter, and some are calling for lifetime credit monitoring instead of the one-year term that the university is currently offering.

If my identity gets stolen, I will not be satisfied with a year of free credit monitoring. #UMDHacked #databreach

— Gabby Ellsworth (@GabbyEllsworthh) February 20, 2014

Instead of spending 100 grand to change the motto to "unstoppable starts here" should have upgraded cyber security #UMDHacked

— MZA (@Mr_BumBastic) February 20, 2014

Not happy that UMD makes the news for information theft and not sports wins. #UMDHacked #umdprobz

— Jacob Hogan (@jakehogan7) February 20, 2014

After one year credit monitoring, what then? The threat doesn't go away because your soc and you dob and your name don't change #UMDHacked

— Leo Downey (@ltd4) February 20, 2014