UM forms task force to identify any further data vulnerabilities

A week after the University of Maryland learned it was the target of a sophisticated data breach, President Wallace D. Loh said Tuesday that the university would extend free credit protection services to the 309,000 students, alumni and employees affected from the one year it had previously announced to five years.

The university discovered last week that the Social Security numbers, birth dates and names of all students, faculty and staff issued a university ID card at College Park and at the Universities at Shady Grove in Rockville since 1998 had been stolen.

The university said the hotline set up for those affected by the cyberattack at 1-866-274-3891 by the financial services company Experian had received 40,000 calls in the first three hours Tuesday. Officials urged patience.

Loh said in a letter that the President's Task Force on Cybersecurity will scan each of the campus' thousands of databases and either purge sensitive personal information or protect it more fully. He said the task force would test the university's security defenses by trying to break into them.

"I am launching a comprehensive, top-to-bottom investigation of all computing and information systems," Loh wrote. "Our University's entire cybersecurity system is only as strong as its weakest link."

Loh said the task force, which will be headed by professor and former provost Ann Wylie, will submit its recommendations within 90 days.

Wylie has also been named interim vice president for information technology. Brian Voss, the current IT chief, announced his retirement last month, effective March 31.

Voss said that the cyberattack was sophisticated, not the work of a "casual" hacker, and that the person or persons behind it appeared to know what they were looking for and how to get it.

The team investigating the cyberattack includes representatives of the U.S. Secret Service and other law enforcement, and cybersecurity firm MITRE.

The Maryland attorney general's office warned that the incident was "particularly alarming" and far different from other recent identity theft cases. While a customer of Target could cancel the credit card compromised in the breach of that retail chain, a University of Maryland alumnus whose Social Security number was stolen could be vulnerable at any point in the future.

Officials encouraged those affected to sign up for the free credit monitoring offer, which the university said would be retroactive to the date of the breach.

The revelation of the theft left the campus community reeling, with many expressing alarm and confusion. The data grab was among the largest such breaches at a university in the United States.

"We're deeply concerned; we don't like to be made vulnerable in this case," said William Stuart, who represents the Universities at Shady Grove on the University System of Maryland Faculty Council. "If there are serious losses of money or confidentiality, that's going to be really upsetting. Right now we're sort of wait-and-see."

Samantha Zwerling, the Student Government Association president at the University of Maryland, College Park, said many people she's spoken with are "pretty unhappy" but have been pleased that the university revealed the breach quickly.

"It's terrible that it happened and it shouldn't happen again, but for a lot of people, especially our generation, they don't know what the implications are if someone has your Social Security number," she said. "Students feel like, yeah, they can get your information, but there are ways to remedy this."

Some noted the irony of the cyberattack happening at the University of Maryland, as the university and state have moved to boost their foothold in the growing cybersecurity field.

In recent years, the flagship campus has tried to capitalize on its proximity to federal agencies such as the National Security Agency and U.S. Cyber Command at Fort Meade and the mass of government and private technology offices scattered throughout the Washington region. The Maryland Cybersecurity Center at College Park recruits middle and high school students to apply, offering summer and weekend workshops.

The university launched a cybersecurity honors concentration for undergraduates last fall. Earlier this year, it announced a partnership with the online learning company Coursera to offer a noncredit certificate in cybersecurity, opening up the university's offerings beyond the campus.

"The University of Maryland data breach is a sobering reminder of the cyber threatscape we currently live under," the state's director of cybersecurity, Elliot Schlanger, said in a statement. "We have reached out to our colleagues at UMD to assist in any way possible, while anticipating that their experience will serve to teach us how to better improve our own state cyber defenses."

Del. Jon Cardin, a Baltimore County Democrat, said Maryland institutions should be better equipped to prevent such a breach.

"We are at the epicenter of cybersecurity and cybercrime detection and confrontation here in Maryland, with Fort Meade and the [National Security Agency]," he said. Preventing cybercrime has "got to be at the top of our agenda."

Copyright © 2021, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad