The Washington Post

University of Maryland computer security breach exposes 300,000 records

The statue of Testudo resides on campus in College Park in this file photo. The university said more than 300,000 personal records were compromised. (Bill O'Leary/The Washington Post)

More than 300,000 personal records for faculty, staff and students who have received identification cards at the University of Maryland were compromised in a computer security breach this week, school officials said.

The breach occurred about 4 a.m. Tuesday, when an outside source gained access to a secure records database that holds information dating to 1998.

Brian Voss, vice president and chief information officer at U-Md., said officials think that whoever got into the database duplicated the information, which includes names, Social Security numbers, dates of birth and university identification numbers for 309,079 people affiliated with the school on its College Park and Shady Grove campuses.

The hackers did not change anything within the university’s computer system, but Voss said the attackers essentially “made a Xerox of it and took off.”

Voss said that what most concerns him is the sophistication of the attack: The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected. Voss said the security breach appears to be in contrast with typical attacks, in which “someone left the door open,” creating an easy opportunity for any hacker.

“That’s not what happened here,” Voss said. “There’s no open door. These people picked through several locks to get to this data.”

In a letter to the university community, President Wallace D. Loh said school officials are investigating the breach and doing what they can to prevent further intrusions.

“Appropriate state and federal law enforcement authorities are currently investigating this incident,” Loh wrote. “Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed.”

Meghan Land, a staff lawyer for the Privacy Rights Clearinghouse, a nonprofit group based in San Diego, said the U-Md. breach was large and significant because it included Social Security numbers. A list kept by the clearinghouse indicates that many colleges have faced data security problems in recent years.

Ohio State University said in 2010 that hackers had penetrated a college server that contained the names, birth dates and Social Security numbers of 750,000 people, exposing them to risk of identity theft. Last year, the University of Virginia said that Social Security numbers of more than 18,000 students were mistakenly printed in the address field of health insurance brochures that were mailed to their homes.

Loh said that U-Md. plans to provide free credit monitoring for a year to anyone whose information was compromised.

Dan Goff, a graduate student at the University of South Carolina who studied at U-Md. for three semesters in 2003 and 2004, said he was “more annoyed than anything” when he heard about the security breach Wednesday evening. Within an hour, he submitted fraud alerts to three credit agencies.

“It’s certainly a fact of life in the information age,” Goff said.

Nick Anderson covers higher education for The Washington Post. He has been a writer and editor at The Post since 2005.


Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read


Success! Check your inbox for details.

See all newsletters

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.