BreachExchange mailing list archives

Massive UMCP Data Breach


From: Richard Forno <rforno () infowarrior org>
Date: Wed, 19 Feb 2014 18:59:37 -0500


http://www.umd.edu/datasecurity/

UMD Data Breach

Letter from President Loh

February 19, 2014

Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove): 

Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland 
was the victim of a sophisticated computer security attack that exposed records containing personal information. 

I am truly sorry. Computer and data security are a very high priority of our University. 

A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 
records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have 
been issued a University ID since 1998. The records included name, Social Security number, date of birth, and 
University identification number. No other information was compromised -- no financial, academic, health, or contact 
(phone, address) information. 

With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate 
state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic 
investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security 
defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach. 

The University is offering one year of free credit monitoring to all affected persons. Additional information will be 
communicated within the next 24 hours on how to activate this service. 

University email communications regarding this incident will not ask you to provide personal information. Please be 
cautious when sharing personal information. 

All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. 
If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity () 
umd edu. 

Universities are a focus in today's global assaults on IT systems. We recently doubled the number of our IT security 
engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and 
better, and we will. 

Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal 
information that may be compromised. 

Sincerely, 

Wallace D. Loh
President, University of Maryland 

FAQs



        • How many files were breached? 
—We have been notified by Brian Voss, Vice President of Information Technology, that a computer security incident at 
the University of Maryland exposed approximately 309,079 records containing personal information.

        • Who was affected by the breach? 
—That database contained 309,079 records of faculty, staff, students and affiliated personnel from College Park and 
Shady Grove campuses who have been issued a University ID since 1998.

        • What kind of data was accessed?
—The records included name, Social Security number, date of birth, and University identification number. No financial, 
academic, contact, or health information was compromised.

        • How did it occur?
—The cause of the security breach is currently under investigation by state and federal law enforcement authorities, as 
well as forensic computer investigators.

        • How is the university responding?
—Within 24 hours, the University formed an investigative task force that includes law enforcement, IT leadership, and 
computer forensic investigators. We are also making every effort to notify the campus community and those who were 
previously affiliated with the university as students, faculty or staff. In addition, the University is offering one 
year of free credit monitoring to all who were affected. 

        • What else can I do to protect myself?
—We recommend that you be mindful of these general tips:
                • Do not share personal information over the phone, email or text. Instead, ask for a call-back number 
so you can verify with whom you are communicating.
                • Delete texts immediately from unfamiliar numbers or names because of the risk of malware and other 
viruses.
                • Never click links within emails that you do not recognize. Be cautious when responding to emails that 
direct you to suspicious websites. 

        • What should affected persons do next?
—Additional information will be on the University homepage within 24 hours. A special hotline has also been established 
if you have questions about this incident. You can call 301.405.4440 or email us at datasecurity () umd edu. 



---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!


Current thread: