This story was updated on Feb. 25, 2014.
Some students at University of Maryland, College Park, said they found it ironic that university officials tell them to protect their information only to announce that protected information was exposed in a Feb. 19 data breach.
Now about 309,000 students, staff, faculty and any other personnel issued a university ID since 1998 are playing the waiting game, wondering if their exposed information will lead to identity theft and hoping the university’s promised security increases will protect them in the future.
“They tell us not to give out our information and then this happens,” said junior Samantha Damico, 20, of College Park. “There is not much we can do.”
University president Wallace D. Loh released a statement saying that 309,079 Social Security numbers, dates of birth, university identification numbers and names were exposed in a data breach. This affected College Park and Shady Grove campus faculty, staff, students and affiliated personnel who were issued university identification since 1998, according to the statement. Addresses, financial, health, and academic records were not compromised, according to the statement.
“Universities are a focus in today’s global assaults on IT systems, said Loh in the statement. “We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.”
The university is offering a year of free credit monitoring through information services company Experian to anyone affected by the data breach, according a university release. Starting Tuesday, university faculty, staff and students can call Experian operators at 866-274-3891 to determine if their information was compromised and register for a year of credit protection through the company’s ProtectMyID system. The system will alert users to changes and suspicious activity found in their credit report, as well as offer identity fraud investigation and resolution, the release said.
William Lucyshyn, director of research in UM’s Center of Public Policy and Private Enterprise, said cyber thieves who steal names and Social Security numbers may be able to access addresses through other means, which gives them the power to open up credit cards in someone else’s name. Lucyshyn said the university’s credit monitoring offer of a year may not help those affected because electronic databases can exist indefinitely.
“You might have a problem 10 years from now,” Lucyshyn said. “When these guys open up a credit card ... you might get some notice you are three months behind in payments.”
In a statement on Feb. 24, university officials suggested those affected by the data breach take extra precautions by placing a 90-day fraud alert or security freeze on credit files, ordering free annual credit reports and obtaining more information about identity theft.
Students said they were glad the university responded quickly and that financial information and contact information wasn’t exposed, but the fact that Social Security numbers could have been stolen unnerved them.
Junior Alyssa Cote, 20, of College Park said she is worried hackers will use the information for identity theft.
“Now it is a game of chance,” Cote said. “Someone went out of the way to steal the information. They will do something with it.”
Sophomore Stephanie Poole, 20, of College Park said she plans to use the year of credit monitoring. She said her mother already started monitoring Poole’s credit to watch out for identity theft. Poole said she thought the university had stricter security and hoped the breach would force the university to examine its current cyber security.
“I thought it was obviously horrible,” Poole said. “I was shocked someone could break into the system. If they got Social Security numbers, they can do a lot of damage.”