More than 300,000 personal records for faculty, staff and students who have received identification cards at the University of Maryland were compromised in a computer security breach this week, school officials said.
The breach occurred about 4 a.m. Tuesday, when an outside source gained access to a secure records database that holds information dating to 1998.
Brian Voss, vice president and chief information officer at U-Md., said officials think that whoever got into the database duplicated the information, which includes names, Social Security numbers, dates of birth and university identification numbers for 309,079 people affiliated with the school on its College Park and Shady Grove campuses.
The hackers did not change anything within the university’s computer system, but Voss said the attackers essentially “made a Xerox of it and took off.”
Voss said that what most concerns him is the sophistication of the attack: The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected. Voss said the security breach appears to be in contrast with typical attacks, in which “someone left the door open,” creating an easy opportunity for any hacker.
“That’s not what happened here,” Voss said. “There’s no open door. These people picked through several locks to get to this data.”
In a letter to the university community, President Wallace D. Loh said school officials are investigating the breach and doing what they can to prevent further intrusions.
“Appropriate state and federal law enforcement authorities are currently investigating this incident,” Loh wrote. “Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed.”
Meghan Land, a staff lawyer for the Privacy Rights Clearinghouse, a nonprofit group based in San Diego, said the U-Md. breach was large and significant because it included Social Security numbers. A list kept by the clearinghouse indicates that many colleges have faced data security problems in recent years.
Ohio State University said in 2010 that hackers had penetrated a college server that contained the names, birth dates and Social Security numbers of 750,000 people, exposing them to risk of identity theft. Last year, the University of Virginia said that Social Security numbers of more than 18,000 students were mistakenly printed in the address field of health insurance brochures that were mailed to their homes.
Loh said that U-Md. plans to provide free credit monitoring for a year to anyone whose information was compromised.
Dan Goff, a graduate student at the University of South Carolina who studied at U-Md. for three semesters in 2003 and 2004, said he was “more annoyed than anything” when he heard about the security breach Wednesday evening. Within an hour, he submitted fraud alerts to three credit agencies.
“It’s certainly a fact of life in the information age,” Goff said.