University of Maryland computer breach exposes student, staff records

Washington: The University of Maryland said on Wednesday that more than 300,000 records for students, faculty and staff were stolen in a sophisticated cyberattack.

Hackers breached a university database containing names, Social Security numbers, birth dates and university identification numbers for everyone who had been issued university identification since 1998. The university said financial, academic, health, phone and address records were not taken.

University President Wallace D. Loh said he was notified of the breach Tuesday night.

“I am truly sorry,” he said in a statement. “Computer and data security are a very high priority of our university.”

By Wednesday, hackers had not taken credit for the attack. Typically, hackers seek such information because it can be used to steal identities or crack bank accounts. It can also be sold on the black market. Universities make ripe targets because they store vast amounts of information, often on decentralised servers.

The records can be a gold mine because students, in particular, often have pristine credit reputations and do not monitor their account activity and credit scores as vigilantly as adults.

Loh said the university would offer one year of free credit monitoring for those whose information was taken.

Dozens of universities have been hit by breaches in recent years. In 2012, Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Rhode Island, the University of Arizona, Queens College, Marquette and 50 other universities were victims of attacks that exposed personal information.

In the breach at Harvard, Stanford, Cornell, Princeton, Johns Hopkins and others, the hackers who took responsibility said their goal was to raise awareness of tuition increases in the United States and changing education laws in Europe.

But in a post to the anonymous website Pastebin, they said that in many cases, when they breached the servers at these universities, they found that somebody else had already been there.

“When we got there, we found that a lot of them have malware injected,” the hackers wrote on Pastebin.

In that case, IdentityFinder, a company that works to protect against identity theft after a breach, found that in many cases, the hackers had been inside universities’ systems for at least four months.

At the University of Maryland, Loh said the university had recently doubled its number of security engineers and analysts and had doubled its investment in security tools.

“Universities are a focus in today’s global assaults on IT systems,” Loh said in the statement. “Obviously, we need to do more and better, and we will.”