The personal information of more than 309,000 students, staff and alumni of the University of Maryland was compromised in a "sophisticated" cyberattack, University President Wallace Loh announced Wednesday.
The breached database held names, Social Security numbers, dates of birth and university identification numbers maintained by the university's information technology division and protected with "multi-layered security defenses," Loh said in an open letter.
"I am truly sorry," he wrote.
Loh stressed that no financial, academic, health, or contact information was taken but said the university would provide a free year of credit monitoring to anyone whose information was exposed. Students, faculty and other personnel who have been issued a University ID at the College Park and Shady Grove campuses since 1998 were affected.
The data breach is the latest in a string of such attacks in recent years. Financial institutions, employers, retailers and others have been targeted. In a case that stoked public outrage, a cyberattack on Target last year affected up to 40 million people.
Universities have also been vulnerable. A cyberattack at the University of Delaware compromised the information of 74,000 people last year. Nearly 24,000 College Park students' Social Security numbers were inadvertently printed on mailing labels for parking brochures in 2008.
"A lot of times these are because someone has, metaphorically speaking, left the door open," said UMD vice president and chief information officer Brian Voss. "This is not that. This is a very sophisticated and dedicated person who worked their way around a good deal of security in order to get a very specific set of data. We're still trying to understand what happened and how they actually did this, but they appear to know what file they wanted to go after."
Noah Smith, a senior biology student at College Park, called the latest breach "concerning."
"I'm still trying to process it a little," he said. "Somebody now has my information."
Beth Givens, director of Privacy Rights Clearinghouse, a nonprofit that tracks privacy breaches, said universities are often targeted by hackers because they collect the type of information that thieves can use to set up new accounts under different addresses and "go to town with the victims' money."
Names and Social Security numbers can give identity thieves the "keys to the kingdom," Givens said.
She said Maryland law requires agencies to report only unencrypted data breaches. Encrypting information or using algorithms to scramble the data protects against the information being used.
Voss said the database that was breached was not encrypted, "but given the way they went about this it wouldn't have mattered" as "the process of getting the data would have unencrypted it."
The university's IT chief said the hack is believed to have taken place sometime between 4 a.m. and 5 a.m. Tuesday, and staff discovered it a few hours later when they noticed unusual activity on the server. Voss said the hacker also got into the accounts of the university's IT staff and transferred the data through a Tor, or anonymous, server.
Loh characterized the data breach as a "criminal incident" and Voss said the FBI, U.S. Secret Service, Maryland State Police and other agencies are investigating. Loh said that within 24 hours of Tuesday's breach, the university formed a task force that also includes computer forensic investigators.
"With the assistance of experts, we are handling this matter with an abundance of caution and diligence," Loh wrote.
Voss said the university would evaluate any necessary changes to its security infrastructure once it had a better understanding of how the breach happened. He said the information that was taken included users' department and academic program and their university-issued ID numbers, though he said that data would likely not prove valuable to a hacker.
"In today's day and age it really could be anybody," Voss said. "When we say something is sophisticated and well done, that doesn't mean it's not a kid sitting in his shorts in his parents' basement in Denmark. We don't know."
He added: "It is somebody who was not a casual hacker."
Francoise Gilbert, managing director of IT Law Group, based in California's Silicon Valley, which represents firms when they're attacked, said the university breach was "relatively small," compared to other high-profile attacks, but could have wide-ranging effects.