Last week, the University of Maryland reported a massive cyber-attack on university networks that puts students, faculty and staff at a serious risk for identity theft.
The names, Social Security numbers, birth dates, and university identification numbers of more than 300,000 students and staff members were stolen in this “sophisticated” security attack. The database that was breached contains information from individuals who received a university ID dating back to 1998 from either the College Park or Shady Grove campuses. “Someone worked around very stringent security and gained access to this data,” said Brian Voss, the university’s vice president of information technology and chief executive officer. “Whoever did this broke through multiple levels of security in order to get this file.”
The University of Maryland is ranked among the top 100 schools in the nation and has about 27,000 undergraduate students and 10,000 graduate students. In his address to the university, President Wallace Loh apologized for one of the biggest data breaches ever suffered by the university. “Officials are working to remedy the situation with an abundance of caution and diligence. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed,” stated President Loh.
State and federal law enforcement officials, as well as forensic computer investigators, are trying to determine the cause of the data breach and how the university’s security defenses were bypassed. The university is offering a free year of credit monitoring to anyone affected by the breach.
Unfortunately, the recent cyber-attack on the University of Maryland’s network is not a unique incident. In the past decade, dozens of other schools have had their records compromised by Internet hackers. For example, in 2010, a cyber-attack on Ohio State’s system affected over 700,000 people. In 2011, a breach at the University of Wisconsin compromised the Social Security numbers of nearly 75,000 students and staff members. In 2006, a breach at UCLA affected nearly 800,000 people.
In his address to the University of Maryland, President Loh recognized the frequency of these cyber-attacks. “Universities are a focus in today’s global assaults on IT systems” stated President Loh. “We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously we need to do more and better and we will.”
The degree, nature, and timing of cyber-attacks are difficult to predict. “You can never be perfectly safe because the bad guys come up with new ways of doing things, and we counter, and then they come up with new ways of doing things.” Although universities are attractive targets for Internet hackers, there are techniques that can be employed in order to prevent these cyber-attacks. Schools should review their Internet security policies and hone in on the risk factors that make them vulnerable to Internet hackers. Additional steps must be taken to protect university databases in order to prevent a massive amount of information from being leaked to the general public.
If you or your institution has questions or concerns about this topic and you would like further information, please email James G. Ryan at jryan@cullenanddykman.com or call him at 516-357-3750. This article was written with Hayley Dryer, an associate at the firm.