As authorities at the University of Maryland continue to investigate a data breach that compromised the personal information of more than 300,000 records of students, faculty and alumni, state officials are concerned that such incidents won’t stop anytime soon.
The incident, which university President Wallace D. Loh described in a Feb. 19 letter to students, parents and others as a “sophisticated computer security attack,” compromised a database kept by the school’s information technology department that contained 309,079 records containing the names, Social Security numbers, dates of birth and university identification numbers of students, faculty and alumni who had been issued university identification cards since 1998.
The breach came on the same day Gov. Martin J. O’Malley (D), U.S. Sen. Barbara Mikulski (D) and Montgomery County Executive Isiah Leggett (D) signed an agreement that will help solidify the county’s plans to build the National Cybersecurity Center of Excellence in Rockville.
State and federal law enforcement agencies are investigating the cause of the breach, Loh’s letter said.
Max Milien, a spokesman for the U.S. Secret Service, said the agency is involved in the investigation.
The school had no new information to report Thursday, said spokeswoman Pam Lloyd.
Joe Bucci, director of marketing and communications for The Universities at Shady Grove, said Thursday that the campus has about 1,440 University of Maryland, College Park, undergraduate and graduate students as well as about 150 to 200 College Park faculty and staff who were affected by the breach.
Other affected people include undergraduate students enrolled in programs at Shady Grove from Towson University; the University of Baltimore; the University of Maryland, Baltimore; the University of Maryland, Baltimore County; and the University of Maryland, Eastern Shore.
Shady Grove officials think that about 2,600 undergraduate students — both currently enrolled and former students — who participated in the five university programs at the campus were affected, Bucci said.
Bucci said these students were affected because the campus issued them Shady Grove IDs, which were in the same database that held the College Park IDs. The Shady Grove campus does not issue IDs to graduate students.
“We’re still trying to get a handle on exactly how many [affected people] there are,” he said. “It goes back to the inception of [The Universities at Shady Grove in 2000].”
It’s hard to judge how sophisticated the University of Maryland attack was because of how little information is publicly known, said Chris Ensey, COO of Dunbar Digital Armor, a Hunt Valley cybersecurity firm.
But he said collections of student data are rich with personal information that make them regular targets for hackers.
Many students have shorter credit histories that make it easier to use the information to open new lines of credit, Ensey said.
“University systems are constantly targeted,” he said.
Donna Schena, interim vice president of instructional and information technology and chief information officer for Montgomery College, said the college uses a “multi-pronged approach” to prevent security hacks into personal information.
“The threat is constant and the diligence, therefore, has to be constant,” she said.
Strategies include technology that watches for and intervenes with threats, physical security for buildings and machines, and managing access to the college’s computer technology and resources, she said.
Schena said the college also works hard to educate its students and staff about information security.
Patrick Feehan, director of IT privacy and cybersecurity compliance at Montgomery College, described the college as working in “a constant circle of change” when it comes to preparing against virtual security threats.
“We’re in a quickly evolving landscape as the world gets more wired,” he said. “We’re constantly having to update how we view threats and how we view vulnerabilities.”
The Washington Post reported the breach took place at 4 a.m. on Feb. 18. Hours later, the officials inked the plans for the cybersecurity center.
County officials have said they believe the facility will make the county a national center for the cybersecurity industry.
These types of breaches are why the state, as an institution, is focused on cybersecurity, said Sen. James C. Rosapepe.
“It’s not a problem that will go away,” said Rosapepe (D-Dist. 21) of College Park.
He said the latest breach is a dramatic example of the opportunity Maryland has to develop its cybersecurity sector.
A September 2012 audit by the state’s Office of Legislative Audits revealed that the Department of Information Technology hadn’t created a way to monitor and enforce its Information Security Policy even though Maryland law made it responsible for enforcing the policies, procedures and standards for state agencies.
The department’s policy shifted responsibility to each state agency to make sure it was complying with the information technology department’s policy.
The report revealed that state agencies weren’t required to share the same amount of information about data breaches as private entities, said Tim Brooks, director of performance audits for the Office of Legislative Audits.
Since the audit was done, the General Assembly has passed a law that state agencies would be bound by similar requirements as private companies for the security and encryption of information and to notify the Attorney General’s office, Department of Information Technology and any people affected by a breach, he said.
Since the report, information security assessments are included as part of each state agency’s fiscal compliance audit that is done every three years, he said.
Agencies and private companies both have to always be vigilant to look for signs that data has been compromised, Brooks said.
“It’s a constant battle. It requires constant surveillance,” he said.
Hackers’ level of sophistication is increasing every day, and the problems they cause won’t go away anytime soon, Ensey said.
As technology becomes more pervasive, the number of wireless-enabled devices people carry will create more conduits for hackers to gain access to information.
“The complexity of IT security has exponentially increased,” Ensey said.
Staff Writer Kate S. Alexander contributed to this report.