300,000 Records Exposed in University of Maryland Security Breach

309,079 staff and students at the University of Maryland have been affected by a security breach that exposed Social Security numbers, names, dates of birth and university ID numbers. The victims are from the Shady Grove and College Park campuses, and their information was stored in an old database containing the records of people who had previously been issued with University identity cards. The records date back to 1998.

Hackers were able to gain access to the database via a server, in spite of several layers of security being in place. They located the database and essentially “made a Xerox of it and took off” according to Brian Voss, the University of Maryland’s Vice President and Chief Information Officer.

Once inside the network, the hackers were able to make a copy of the data, but what is concerning in this incident is the how the hackers past the several layers of security that U-Md had put in place. A recent data breach report in the Washington Post reported Voss as saying “what most concerns him is the sophistication of the attack.” He went on to say that the hacker or hackers must have had a “very significant understanding of how the school’s data are designed and protected.”

In many security breaches data access is gained because the defenses have been inadvertently let down. In the words of Voss, they are caused because “someone left the door open.” He said “That’s not what happened here. There’s no open door. These people picked through several locks to get to this data”

Healthcare data breaches are occurring much more frequently because of the value of the data that the organizations hold. The thieves are mostly looking for Social Security numbers and personal identifiers, as this information can be used to make fraudulent Medicare/Medicaid claims, make fake tax returns and commit identify fraud. Since Universities hold Social Security numbers and personal identifiers, they too have come under attack in recent months.

Whenever Social Security numbers are obtained the breach is much more serious for the victims. As a result, U-Md will be offering free credit monitoring services to all individuals affected for a period of one year; without charge. Due to the risk of information being used for criminal purposes, all individuals receiving a breach notification letter are advised to respond quickly and sign up for the credit monitoring services being offered.

University President, Wallace D. Loh, wrote in a letter to the community, “Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed.” All affected individuals have been told that they are “doing what they can to prevent further intrusions.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.