A computer security breach at the University of Maryland has compromised more than 300,000 personal records for faculty, staff and students who have received identification cards. Here’s the letter about the breach from university President Wallace D. Loh released on Wednesday:
Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):
Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.
I am truly sorry. Computer and data security are a very high priority of our University.
A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.
With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.
The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.
University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.
All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at firstname.lastname@example.org.
Universities are a focus in today’s global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.
Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.
Wallace D. Loh
President, University of Maryland
How many files were breached?
—We have been notified by Brian Voss, Vice President of Information Technology, that a computer security incident at the University of Maryland exposed approximately 309,079 records containing personal information.
Who was affected by the breach?
—That database contained 309,079 records of faculty, staff, students and affiliated personnel from College Park and Shady Grove campuses who have been issued a University ID since 1998.
What kind of data was accessed?
—The records included name, Social Security number, date of birth, and University identification number. No financial, academic, contact, or health information was compromised.
How did it occur?
—The cause of the security breach is currently under investigation by state and federal law enforcement authorities, as well as forensic computer investigators.
How is the university responding?
—Within 24 hours, the University formed an investigative task force that includes law enforcement, IT leadership, and computer forensic investigators. We are also making every effort to notify the campus community and those who were previously affiliated with the university as students, faculty or staff. In addition, the University is offering one year of free credit monitoring to all who were affected.
What else can I do to protect myself?
—We recommend that you be mindful of these general tips:
Do not share personal information over the phone, email or text. Instead, ask for a call-back number so you can verify with whom you are communicating.
Delete texts immediately from unfamiliar numbers or names because of the risk of malware and other viruses.
Never click links within emails that you do not recognize. Be cautious when responding to emails that direct you to suspicious websites.
What should affected persons do next?
—Additional information will be on the University homepage within 24 hours. A special hotline has also been established if you have questions about this incident. You can call 301.405.4440 or email us at email@example.com.