By Colin Campbell, The Baltimore Sun
4:58 PM EST, February 20, 2014
The personal information of more than 309,000 students, staff and alumni of the University of Maryland was compromised in a "sophisticated" cyberattack, University President Wallace Loh announced Wednesday.
The breached database held names, Social Security numbers, dates of birth and university identification numbers maintained by the university's information technology division and protected with "multi-layered security defenses," Loh said in an open letter.
"I am truly sorry," he wrote.
Loh stressed that no financial, academic, health, or contact information was taken but said the university would provide a free year of credit monitoring to anyone whose information was exposed. Students, faculty and other personnel who have been issued a University ID at the College Park and Shady Grove campuses since 1998 were affected.
The data breach is the latest in a string of such attacks in recent years. Financial institutions, employers, retailers and others have been targeted. In a case that stoked public outrage, a cyberattack on Target last year affected up to 40 million people.
Universities have also been vulnerable. A cyberattack at the University of Delaware compromised the information of 74,000 people last year. Nearly 24,000 College Park students' Social Security numbers were inadvertently printed on mailing labels for parking brochures in 2008.
"A lot of times these are because someone has, metaphorically speaking, left the door open," said UMD vice president and chief information officer Brian Voss. "This is not that. This is a very sophisticated and dedicated person who worked their way around a good deal of security in order to get a very specific set of data. We're still trying to understand what happened and how they actually did this, but they appear to know what file they wanted to go after."
Noah Smith, a senior biology student at College Park, called the latest breach "concerning."
"I'm still trying to process it a little," he said. "Somebody now has my information."
Beth Givens, director of Privacy Rights Clearinghouse, a nonprofit that tracks privacy breaches, said universities are often targeted by hackers because they collect the type of information that thieves can use to set up new accounts under different addresses and "go to town with the victims' money."
Names and Social Security numbers can give identity thieves the "keys to the kingdom," Givens said.
She said Maryland law requires agencies to report only unencrypted data breaches. Encrypting information or using algorithms to scramble the data protects against the information being used.
Voss said the database that was breached was not encrypted, "but given the way they went about this it wouldn't have mattered" as "the process of getting the data would have unencrypted it."
The university's IT chief said the hack is believed to have taken place sometime between 4 a.m. and 5 a.m. Tuesday, and staff discovered it a few hours later when they noticed unusual activity on the server. Voss said the hacker also got into the accounts of the university's IT staff and transferred the data through a Tor, or anonymous, server.
Loh characterized the data breach as a "criminal incident" and Voss said the FBI, U.S. Secret Service, Maryland State Police and other agencies are investigating. Loh said that within 24 hours of Tuesday's breach, the university formed a task force that also includes computer forensic investigators.
"With the assistance of experts, we are handling this matter with an abundance of caution and diligence," Loh wrote.
Voss said the university would evaluate any necessary changes to its security infrastructure once it had a better understanding of how the breach happened. He said the information that was taken included users' department and academic program and their university-issued ID numbers, though he said that data would likely not prove valuable to a hacker.
"In today's day and age it really could be anybody," Voss said. "When we say something is sophisticated and well done, that doesn't mean it's not a kid sitting in his shorts in his parents' basement in Denmark. We don't know."
He added: "It is somebody who was not a casual hacker."
Francoise Gilbert, managing director of IT Law Group, based in California's Silicon Valley, which represents firms when they're attacked, said the university breach was "relatively small," compared to other high-profile attacks, but could have wide-ranging effects.
"Of course, for the affected people, I would imagine there will be tremendous consequences," she said.
The Maryland Attorney General’s Office also warned that the incident was more serious than other recent identity theft cases involving Target and Neiman Marcus. Where someone could cancel the credit card compromised in the Target breach, identifying information like a Social Security number and birth date could be used to wreak havoc on credit at any point in the future.
Smith, the College Park student from Baltimore, said the frequency of cyberattacks like Target's are beginning to have a numbing effect. He doesn't fault the university for any oversight in data protection.
"It tells you more about the state of our current online security," he said. "I understand the realities of the situation. If it's happening to a multi-billion-dollar company like Target, and it even happens to the government, it can happen to anyone."
He said he appreciated the university's offer of free credit monitoring and planned to participate in the program.
"No reason not to," he said.
In his letter, Loh said the attack happened despite a recent doubling in the university's IT security engineers and analysts.
He also tried to prevent scams by warning that no university communication about the cyberattack would ask community members for their personal information. He told community members to be cautious in sharing such information.
Voss said universities are at a disadvantage compared to private businesses and other organizations when it comes to preventing cyber attacks, as the university's system must remain open to allow collaboration. For example, he said, the university blocks some web traffic from China, where some cyber attacks in the U.S. are believed to have originated, but doing so hampers faculty trying to conduct research.
"What we can't do is put a big wall around the whole campus," Voss said.
If all those affected by the breach take advantage of the free credit monitoring offer, Voss estimated it could cost the university more than $3 million, though officials anticipate that not everyone will sign up.
The university has set up a hotline at 301-405-4440 and an email address for those with questions or concerns, firstname.lastname@example.org. Details on the credit monitoring offer are expected to be announced Thursday.
"I regret this breach of our computer and data systems," Loh said in his letter. "We are doing everything possible to protect any personal information that may be compromised.
"Obviously, we need to do more and better, and we will."
Baltimore Sun reporter Carrie Wells contributed to this report.
Copyright © 2014, The Baltimore Sun