The security and access controls protecting the personal information of University of Maryland University College staff and students are "not sufficient," according to an audit released Friday by the state's Office of Legislative Audits.

The 655,227 Social Security numbers stored in UMUC databases are unencrypted, the report states, despite the University System of Maryland IT Security Standards requiring the encryption of confidential information or other equally secure safeguards.


"When it's unencrypted, it's in clear text," said Bob Koslowski, director of information systems audits. "If that server were hacked, the hacker could see that information, steal it and publish it. If it were encrypted, even if someone were to steal it, they would not be able to open it and use it."

The UMUC response, which is included in the audit report, states that the school was following university system standards by implementing six other security safeguards, such as secure network configurations and vulnerability scanning, to "ensure compliance with USM standards."

"Those provide some measure of security, but if the server is hacked and the data is taken out, it's still wide open and anyone can read it," Koslowski said.

UMUC spokesman Bob Ludwig said that no information had been stolen from the school, which offers online and adult education courses.

Another USM campus had personal information stolen recently. In February 2014, the names, birthdays and Social Security numbers of more than 309,000 University of Maryland, College Park students, staff and alumni were compromised in a data breach.

UMUC aims to encrypt the data by Aug. 31, according to the report, which covers the period of March 21, 2011, to June 30, 2014.

"We certainly agree with the report by the Office of Legislative Audits and are already following through on the recommendations," Ludwig said.