February 19, 2014

Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove),

Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.

I am truly sorry. Computer and data security are a very high priority of our University.

A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.

With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered, security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.

The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.

University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.

We have established a website with FAQs at http://www.umd.edu/datasecurity. Any updates will be posted to this site. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu.

Universities are a focus in today's global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.

Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.

Sincerely,

Wallace D. Loh
President

A changing threat environment and institutional inertia helped enable hackers to access 309,079 personal records of University of Maryland students and staff, the school’s tech chief told Risk & Compliance Journal.

Hackers gained access to the personal data, which included social security numbers and birthdates by hacking into the school’s ID card system, said Brian Voss, University of Maryland at College Park’s chief information officer. The breach, announced last week, included students, faculty and staff who were granted university IDs on the campus, and involved data going as far back as 1998. The attack raised the question of why the school needed to retain this sensitive data in its systems for so long.

Security experts recommend social security numbers, which can be used to commit identity fraud, only be collected for compelling, current business purposes. And administrators should delete those identifiers as soon as they are no longer needed. “Not all data is created equally,” said David Vladeck, a former director of the Federal Trade Commission’s consumer protection bureau. “To me the crown jewel is the social security number.”

Fearing litigation and reputational damage, many organizations are now taking steps to minimize, and closely guard, personal data within their systems. But the case of University of Maryland illustrates how mountains of data, accumulated over decades, can come back to haunt an organization. And IT decisions that seemed sound when they were made, years before hackers and cyber security became mainstream business concerns, can prove punishing in hindsight.

For example, the social security numbers in the University of Maryland’s ID card system, were data “relics,” said Mr. Voss, who began working at the school in 2011. The University of Maryland used social security numbers as unique identifiers for its ID card system, allowing the system to link a particular student across institution’s campuses, said Mr. Voss. But a less sensitive identifier, like a random set of numbers, could have accomplished the same purpose, Mr. Voss said.

The ID card system also allowed students to register to vote, a process that often requires a social security number. But here too, Mr. Voss acknowledged, maintaining the number was unnecessary — the identifier could have been purged after the student was registered.

The ID system was built in 1998 when people were far less careful about guarding personal data, Mr. Voss said. “Even at the time it was probably not a good idea to hold onto it,” he said. “For whatever reason the decision to retain that data made sense at the time…But they couldn’t imagine the environment we’re operating in now,” Mr. Voss said. “History makes idiots of us all. We do pay for the sins of the father.”

Institutions need to review what data they’ve accumulated over time and purge sensitive information not still needed — particularly social security numbers, said Mr. Vladeck, who is now a Georgetown Law professor. “I’m sure the folks at Maryland are going to learn from it, but the damage here is quite significant.”

University of Maryland did in fact conduct an audit on where social security numbers were stored, around five years before Mr. Voss took the helm in 2011, he said. Still, Mr. Voss said he was unaware that the social security data were being stored in the ID card database, just one of dozens of systems that he inherited when he began in the job. While Mr. Voss knew of the review’s findings generally, he didn’t read through the “three-foot high stacks” of the report, he said. “I could tell you about the amount of stuff that was broken when I came in that needed fixing,” Mr. Voss said.

Fighting against the arbitrary accumulation of data is difficult in any large organization, Mr. Voss said. “People’s natural tendency is to hold onto things longer than they should,” Mr. Voss said. “Especially considering that each of these is a time bomb not impacting just the institution, but impacting the individual.”