University of Maryland President Wallace Loh announced on Tuesday that he has ordered an extension of credit protection services from one year to a full five years of coverage for individuals affected by the massive data breach discovered last week. The services will be provided at no cost.
The school has also set up a toll-free hotline for victims, which has been experiencing a high volume of calls.
The University of Maryland was the victim of a sophisticated computer security attack that exposed records containing the personal information of 309,079 faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses.
State and federal law enforcement agencies, the U.S. Secret Service, consultants from the MITRE Corp., and campus IT security personnel are working together to find out how the attackers penetrated the university’s multiple layers of security. Loh also announced that he is launching a comprehensive, top-to-bottom investigation of all computing and information systems. This includes central systems operated by the university and local systems operated by individual administrative and academic units. According to a press release, this investigation has three missions.
– “First, we will scan every database to find out where sensitive personal information might be located. Then, we will either purge it or protect it more fully in that database, as appropriate. There are thousands of databases throughout the campus, many created years ago when the environment for cyber threats was different.
– “Second, we will do penetration tests of the security defenses of our central and local information systems to identify and seal any possible technological gaps through which cyber criminals could get in to search for any information. These probes will be performed on an ongoing basis.
– “Third, we will review the appropriate balance between centralized (University-operated) versus decentralized (unit-operated) IT systems. There must be policy changes to accompany technical fixes. We understand the needs of individual units to control their own servers and databases. We must also ensure that safeguards at central and local levels are equally robust and tightly coordinated. Our University’s entire cybersecurity system is only as strong as its weakest link.”
The breach affected those individuals who have been issued a university ID since 1998. The records included name, Social Security number, date of birth, and university identification number.