A week after someone breached a database at the University of Maryland, President Wallace D. Loh announced that university and law enforcement officials were investigating how a hacker gained access to names, addresses, Social Security numbers and other data going back to 1998.

The more than 300,000 students, faculty and staff affected will receive no-cost credit protection services, and the university is launching a “top to bottom” investigation of all computing and information services to include:

  • Scanning of every university database to find where sensitive personal information is located, so it may be purged or protected.
  • Penetration testing of the university’s security to identify and seal any vulnerabilities.
  • The university will also review centralized vs. decentralized systems to coordinate security and safeguards.

“Universities are a focus in today's global assaults on IT systems,” said Loh in an announcement. “We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better.”

Employees of the University of Northern Iowa (UNI) might agree with Loh’s assessment of universities as targets. When attempting to file tax returns, some discovered that their Social Security numbers had already been used by other tax filers. While UNI has yet to find evidence of compromised databases, the University of Maryland’s experience prompted UNI to call in law enforcement and the IRS, provide credit monitoring and take other steps.

Indiana University also just joined the ranks of security dropouts, announcing Feb. 25 that names, addresses and Social Security numbers of nearly 150,000 students and recent graduates may have been exposed during a data breach. The data was reportedly stored in an unsecured location for nearly a year.

Legislative bodies are taking note of the increased collection of student digital data, and in Kansas, for example, the Legislature is moving to ensure better privacy for student information. Hackers, however, don’t often follow the law, and so strong policy must be matched by equally strong IT security practices.