February 19, 2014
Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):
Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.
I am truly sorry. Computer and data security are a very high priority of our University.
A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.
With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.
The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.
University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.
All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at [email protected].
Universities are a focus in today’s global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.
Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.
Wallace D. Loh
President, University of Maryland
- How many files were breached?
—We have been notified by Brian Voss, Vice President of Information Technology, that a computer security incident at the University of Maryland exposed approximately 309,079 records containing personal information.
- Who was affected by the breach?
—That database contained 309,079 records of faculty, staff, students and affiliated personnel from College Park and Shady Grove campuses who have been issued a University ID since 1998.
- What kind of data was accessed?
—The records included name, Social Security number, date of birth, and University identification number. No financial, academic, contact, or health information was compromised.
- How did it occur?
—The cause of the security breach is currently under investigation by state and federal law enforcement authorities, as well as forensic computer investigators.
- How is the university responding?
—Within 24 hours, the University formed an investigative task force that includes law enforcement, IT leadership, and computer forensic investigators. We are also making every effort to notify the campus community and those who were previously affiliated with the university as students, faculty or staff. In addition, the University is offering one year of free credit monitoring to all who were affected.
- What else can I do to protect myself?
—We recommend that you be mindful of these general tips:
- Do not share personal information over the phone, email or text. Instead, ask for a call-back number so you can verify with whom you are communicating.
- Delete texts immediately from unfamiliar numbers or names because of the risk of malware and other viruses.
- Never click links within emails that you do not recognize. Be cautious when responding to emails that direct you to suspicious websites.
- What should affected persons do next?
—Additional information will be on the University homepage within 24 hours. A special hotline has also been established if you have questions about this incident. You can call 301.405.4440 or email us at [email protected].
Update 1: The Diamondback cites Brian Voss, the university’s vice president of information technology and chief information officer, as reporting that the breach was detected Tuesday morning between 8 and 9 a.m. According to Voss, officials believe the data were accessed between 4 and 5 am and then copied.
No data was altered in the university’s networks, and university ID-related tasks, such as logging into Canvas or swiping into buildings, were unaffected, Voss said.
Within hours of detecting the breach, officials assembled a task force of law enforcement, forensic investigators and IT experts and began consulting with the FBI and state law enforcement.
Impressive rapid detection and response! Of course, there’s still the issue of why they were storing SSN, and SSN going back to 1998, but we’ll get to that another time….
Update 2: Danny Yadron of the Wall Street Journal responded to my inquiry to him by responding that he confirmed with UMD that it is 309,079 people (and not just 309,079 records) involved.