The personal information of more than 309,000 students, staff and alumni of the University of Maryland was compromised in a "sophisticated" cyberattack, University President Wallace Loh announced Wednesday.
The breached database held names, Social Security numbers, dates of birth and university identification numbers maintained by the university's information technology division and protected with "multi-layered security defenses," Loh said in an open letter.
"I am truly sorry," he wrote.
Loh stressed that no financial, academic, health, or contact information was taken but said the university would provide a free year of credit monitoring to anyone whose information was exposed. Students, faculty and other personnel who have been issued a University ID at the College Park and Shady Grove campuses since 1998 were affected.
The data breach is the latest in a string of such attacks in recent years. Financial institutions, employers, retailers and others have been targeted. In a case that stoked public outrage, a cyberattack on Target last year affected up to 40 million people.
Universities have also been vulnerable. A cyberattack at the University of Delaware compromised the information of 74,000 people last year. Nearly 24,000 College Park students' Social Security numbers were inadvertently printed on mailing labels for parking brochures in 2008.
Noah Smith, a senior biology student at College Park, called the latest breach "concerning."
"I'm still trying to process it a little," he said. "Somebody now has my information."
Beth Givens, director of Privacy Rights Clearinghouse, a nonprofit that tracks privacy breaches, said universities are often targeted by hackers because they collect the type of information that thieves can use to set up new accounts under different addresses and "go to town with the victims' money."
Names and Social Security numbers can give identity thieves the "keys to the kingdom," Givens said.
She said Maryland law requires agencies to report only unencrypted data breaches. Encrypting information or using algorithms to scramble the data protects against the information being used.
It's unclear whether the university data was encrypted. Officials could not be reached to comment beyond Loh's letter.
Loh characterized the data breach as a "criminal incident" and said state and federal law enforcement authorities are investigating. He said that within 24 hours of Tuesday's breach, the university formed a task force that also includes computer forensic investigators.
"With the assistance of experts, we are handling this matter with an abundance of caution and diligence," he wrote.
Francoise Gilbert, managing director of IT Law Group, based in California's Silicon Valley, which represents firms when they're attacked, said the university breach was "relatively small," compared to other high-profile attacks, but could have wide-ranging effects.
"Of course, for the affected people, I would imagine there will be tremendous consequences," she said.
Smith, the College Park student from Baltimore, said the frequency of cyberattacks like Target's are beginning to have a numbing effect. He doesn't fault the university for any oversight in data protection.
"It tells you more about the state of our current online security," he said. "I understand the realities of the situation. If it's happening to a multibillion-dollar company like Target, and it even happens to the government, it can happen to anyone."
He said he appreciated the university's offer of free credit monitoring and planned to participate in the program.
"No reason not to," he said.
In his letter, Loh said the attack happened despite a recent doubling in the university's IT security engineers and analysts.
He also tried to prevent scams by warning that no university communication about the cyberattack would ask community members for their personal information. He told community members to be cautious in sharing such information.
The university has set up a hotline at 301-405-4440 and an email address for those with questions or concerns, firstname.lastname@example.org.
"I regret this breach of our computer and data systems," Loh said in his letter. "We are doing everything possible to protect any personal information that may be compromised.
"Obviously, we need to do more and better, and we will."
(c)2014 The Baltimore Sun