The credit bureau offering years of credit protection for those affected by February’s data breach has reported a “significant drop-off” in call volume since opening its call center to this university on Feb. 25, university Chief Information Officer Crystal Brown said.
Experian’s call center faced technical difficulties on the first day of availability after receiving an influx of more than 40,000 calls in the first three hours of operation, Brown said, but has recorded a diminishing number of callers every day since Feb. 28.
Fewer than 30,000 of the 287,580 affected had signed up for the protection services, Ann Wylie, chairwoman of the recently created President’s Task Force on Cybersecurity, wrote Wednesday. That number surpassed 30,000 on Thursday, Brown said.
About 10 percent of affected people have signed up, compared to the 15 percent observed on average for breaches of similar magnitude, university officials said.
“That’s the industry standard,” Brown said. “We’re hoping for a lot more than that. We hope to get a lot more of our constituents to sign up.”
Brown said the university could not comment on why the number of victims who had signed up for protection was smaller than the number of calls Experian received in its first three hours of open lines, because “Experian isn’t capturing that data.”
An announcement from Wylie to the university Wednesday night also said more than 50,000 of the copied files were from students from between 1992 and 1998, though the university originally said no file from earlier than 1998 had been breached.
While purging accessed files, Department of Information Technology workers found that older files had been preloaded into the breached database when it was created in 1998, but Wylie said Thursday she could not explain why the files were still being held in the database, or why they were preloaded in the first place.
“We don’t exactly know, but it isn’t unusual for us to preload data when we take a new initiative,” she said. “It’s really for convenience.”
The DIT is collaborating with University Human Resources, the registrar’s office and “the folks who own and use the data” to purge the files compromised by the Feb. 18 breach, Brown said. More than 225,000 records had been removed from the database as of Wednesday night.
At least a dozen workers are combing each file to determine eligibility for deletion, Brown said. Only files for people without any standing connection to the university have been removed from the database.
“It’s a pretty time-consuming and analytical process,” she said.
The university was unable to answer questions as to why it used Social Security numbers as the identifying set of digits for many of the individuals whose files were stolen, when a random set of numbers would have worked just as well, Brian Voss, information technology vice president and chief security officer, told The Wall Street Journal in February.
“That’s one of the things the task force will be answering,” Brown said.
This 18-person task force, which met for the first time Wednesday evening, will be split into four subgroups, Wylie said. One will focus on university data, one on policy, one on security enhancement and one on security penetration testing.
“We tried to get a broad knowledge base, so that’s what we did,” Wylie said. “We just took people across the university that would have different knowledge bases, different experiences. We’ve divided ourselves up so that not everyone is working on every issue.”
In an email to the community on Feb. 25, university President Wallace Loh assigned the task force a 90-day period to research the breach and develop a plan of action. It will reconvene on March 24 after spring break.
More on the University of Maryland data breach:
[ READ MORE: Records accessed in data breach went back to 1992; number affected revised down ][ READ MORE: Credit bureau offering years of protection sold SSN’s, banking information in the past ][ READ MORE: University of Maryland begins purging data accessed in breach ]
