February 20, 2014

University of Maryland, College Park Security Attack

Dear Colleagues:
 
As many of you already know, the University of Maryland, College Park was the victim of what is being described as a sophisticated computer security attack (please see President Wallace Loh's email to the UMCP community below). The information we have now is that a database linked to campus IDs issued by College Park was compromised. This database contains records of more than 300,000 students, faculty, staff, and affiliated personnel at the College Park and Universities at Shady Grove campuses, and includes names, Social Security numbers, campus ID numbers, and dates of birth on IDs issued since 1998.
 
Computer security experts at College Park are taking steps to determine how the breach occurred and to prevent any further breaches, while forensic investigators determine how the University's security system was bypassed. At the same time, state and federal law enforcement agencies are investigating the attack as a criminal matter.
 
It is important to note that the people affected by this breach are only those who obtained a College Park ID card. If you did obtain an ID card from College Park at any time since 1998, please visit College Park's website at www.umd.edu/datasecurity for information about this breach. College Park is offering free credit monitoring to all affected persons.
 
I want to assure you that UMB has security controls in place for the One Card system, our University ID system. A separate, secure network was created, and there is no direct access to the One Card system from the campus network or from the Internet - this helps our efforts to keep the system secure. Moreover, the UMB One Card system does not store any Social Security numbers.
 
As more information becomes available, I will share it with you. In the meantime, this incident serves as an important reminder that we all should take measures to strengthen the security of our private information. University email communications will never ask you to provide personal information and any such requests should be disregarded.  Please be cautious when sharing personal information through your computer, smartphone, and other electronic devices.

Sincerely,

Jay A. Perman, MD
President

Email from President Wallace D. Loh, University of Maryland, College Park
 
From: President Wallace D. Loh
Sent: Wednesday, February 19, 2014 6:06 PM
Subject: UMD Data Breach
 
February 19, 2014
 
Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):
 
Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.
 
I am truly sorry. Computer and data security are a very high priority of our University.
 
A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number.  No other information was compromised -- no financial, academic, health, or contact (phone, address) information.
 
With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered, security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.
 
The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.
 
University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.
 
We have established a website with FAQs at www.umd.edu/datasecurity. Any updates will be posted to this site. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu.
 
Universities are a focus in today's global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.
 
Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.
 
Sincerely,
 
Wallace D. Loh
President, University of Maryland