University of Maryland
Wallace Loh was ready to go to bed after midnight Tuesday morning when he decided to check his email one last time.
“Ah, I missed this damn email,” Loh thought.
It was from Brian Voss, information technology vice president and chief information officer, informing Loh that an attacker had breached the names, Social Security numbers, birth dates and university IDs of more than 300,000 university students, alumni, faculty and personnel dating back to 1998.
Loh said his reaction was comparable to when he learned almost two years ago that a student threatened a mass shooting on the campus. He never went to sleep that night. University officials convened first thing Tuesday morning in Loh’s office, dubbing it “the command center” and “the war room.”
In three days, university officials have had to learn the extent of the attack, prepare a response, inform the community and hire outside consultants in an effort to protect those affected. The information stolen could potentially be enough to open credit card accounts or obtain access to other personal information.
The university employed outside computer security consultants to check that all university systems remain as foolproof as possible. And in addition to offering free credit protection for one year — possibly costing the university up to $3 million — the university is contracting a professional data center so those concerned can immediately call a hotline for help and answers to questions.
For some, such as Michael Washington, 40, that might not be enough.
“I have a home. I have credit cards. I have all these things,” said Washington, a government and politics major who re-enrolled for the fall semester after previously attending from 2000 to 2004. “Not only does it affect me, it affects my family.”
Officials discovered the breach within four hours. The attacker bypassed several layers of advanced security and copied the files, leaving little trace, but did not delete or corrupt files, said Brian Ullman, marketing and communications assistant vice president. He said the university cannot yet determine the proportion of people from the 16-year period who were affected.
Before the university community found out about the breach, university officials quickly trained an additional 20 to 30 students to answer questions at the Division of Information Technology. They received about 500 calls from 6 p.m. to 8 last night, but Ullman said he hopes more people call in coming days.
This university is not the first to experience such a massive attack, though it tallied the third-highest amount of compromised data from U.S. universities, according to the Los Angeles Times. The Ohio State University experienced a breach of about 760,000 individual files in 2010 and waited nearly three months to inform its community. In 2006, the University of California, Los Angeles breach affected more than 800,000 people.
State and federal law enforcement officials are investigating the identity of the attacker or attackers. But university officials said they remain focused on ensuring a similar attack does not happen and that other university data systems were not compromised.
“You’d think that a top, nationally renowned university would be on top of this,” state House Rep. Jon Cardin (D-Baltimore) said. “I hope the university evaluates how this impacts their body of current and former students to make sure they’re taking every possible step to keep information safe.”
On Tuesday, Loh fielded a call from Gov. Martin O’Malley, who said it was ironic that Baltimore hosted a cybersecurity innovation forum in January, yet the state’s flagship university has fallen victim to an attack of national caliber.
“I wonder if this is an isolated incident, or if we’re going to see more of this happening,” said Ben Susman, a junior journalism major. “And if this is an isolated incident, why in the world did it happen to the University of Maryland?”
