The University of Maryland is the latest victim of a significant data breach after experiencing what school officials described as a “sophisticated computer security attack” that exposed records containing personal information.
According to a letter from Wallace Loh, President of the University, a database was breached on Feb. 18 that contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998.
Loh said he was notified about the breach by Brian Voss, Vice President of Information Technology, and that records accessed by the intruder(s) included name, Social Security number, date of birth, and University identification number. No other information was compromised, Loh said, including financial, academic, health, or contact information.
“With the assistance of experts, we are handling this matter with an abundance of caution and diligence,” Loh wrote in the letter. “Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.”
Call it too little too late if you like, but Loh said the University recently doubled the number of its IT security engineers and analysts, and doubled its investment in security tools.
“Obviously, we need to do more and better, and we will,” Loh said.
"We scored this week’s data breach at the University of Maryland using the Breach Level Index, which provides a scoring scale to classify the severity of any given security event, and lend some context relative to other breaches," Prakash Panjwani, senior vice president and general manager, Data Protection at SafeNet, told SecurityWeek.
"Using the publicly available information right now, we put this at a 7.4 out of 10, which can be categorized as a ‘severe’ breach," Panjwani said. "The inclusion of social security numbers places it relatively high on the scale, aided by the fact that a fairly large number of personal records were compromised. It appears from the outside that the records may have been stolen by a malicious insider (this would also factor into our scoring), but we don’t know that for sure. We also still don’t know how the stolen information has been used, and if the damage can hopefully be minimized, the index score could go down."
The University said that it is offering one year of free credit monitoring to all affected individuals.
SecurityWeek has reached out to the University to get additional details on the attack and will update this story if additional information is recieved.
Relared Reading: Cybercriminals Increasingly Attacking University Networks
*Updated with commentary from SafeNet