Nearly a year after a massive data breach at the University of Maryland, state auditors say the campus network is still vulnerable to hackers — in part because gaps they identified five years ago remain.
While patching those holes would not have prevented the breach, auditors and university officials said Wednesday, some of the network still lacks proper firewalls or systems to detect intruders or malware.
Thomas Barnickel, an auditor with the state Office of Legislative Audits, said the findings suggest broader issues regarding the network's protection.
"There's other vulnerabilities in the system they need to shore up, that's for sure," he said.
University officials said they are working on expanding and strengthening firewalls and making other improvements.
After hackers exposed the Social Security numbers of some 300,000 present and former students, faculty and staff members at the University of Maryland, College Park in February, officials moved to cut the risks of future breaches by isolating and encrypting sensitive data, limiting access to it and training the campus community in data security.
The efforts come as institutions of higher education, businesses and banks are increasingly targeted for cyber attacks. That's a particular challenge for universities, because academic networks are open by nature.
"Our mission is to preserve a culture of openness, innovation and exploration, while simultaneously reducing the likelihood of future threats," Eric Denna, the University of Maryland's chief information officer, said in an email. "Educating our community members can go a long way toward mitigating additional threats."
Barnickel said auditors were surprised most by a finding that some clusters of computers on the fringes of the campus network were not protected by firewalls. Mainframe computers and other central servers were protected, he said, but there was no campus-wide policy for protecting the local networks of individual departments.
Auditors found that only 15 of more than 500 campus departments lay behind a campus-wide firewall. That meant that in many departments, including the officers of the president and the bursar, workstations could be accessed through student computer labs, dormitories or the Internet.
"I think that's a pretty big deal," Barnickel said.
Auditors also repeated findings from a similar review five years ago. In the 2009 audit, they reported that firewalls were operating on weak or outdated rules to determine who could access the network, and that logs of security incidents on the network were not properly reviewed.
Denna said the university addressed those findings in 2009. University officials said firewall rules must constantly be updated, so while there might have been problems with some rules five years ago, problems this year involved different rules. They said they are testing a new firewall management system that can help improve network security rules.
They have also invested in technology to manage the security logs and additional staff to review the logs.
Barnickel and Denna said those issues did not contribute to the data breach in February, which occurred through an unsecured server that was responsible for running a university website. A firewall could not have been used to protect the site because it is designed to be publicly accessible on the Internet.
Auditors described the attack as a sophisticated exploitation of that Web server and other servers and databases — including one that contained the Social Security numbers, birth dates and names of everyone who was issued a university identification card since 1998, and students who had attended the university since 1992.
Richard Forno, who teaches cybersecurity at the University of Maryland, Baltimore County, said one key issue in the audit that could be tangentially related to the breach is broad access to sensitive data on the network.
"You never want to have a person or a set of people to have all the keys to all of the kingdom," Forno said. He is not involved with security efforts in College Park, a separate institution from UMBC.
Auditors said the university has spent about $2.8 million to address the data breach, including setting up call centers and offering free credit monitoring for those affected. About 100,000 people, or a third of the victims, have signed up for the credit monitoring, auditors said.
Patrick Ronk, president of the Student Government Association at College Park, said many students didn't see the point of signing up for the services because they have little credit and don't perceive a significant risk.
"There's a disconnect with a lot of young people on this," said Ronk, a junior. "We don't take it as seriously as we should."
But university officials said the sign-up rate has outpaced the signup rates for credit monitoring offered after data breaches at corporations such as Target and Nieman Marcus.
Some see the university breach as more serious than those in which credit card numbers were compromised. A credit card can be canceled, but a criminal can always exploit a Social Security number.
Denna said university officials would be "vigilant" in increasing cybersecurity investments and in assessing network risks.
But given the constantly changing nature of cyberattacks, Forno said, nothing can ensure protection.
"Even if you did all these things, that still doesn't give you 100 percent guarantees that this incident couldn't happen again," he said.