McKeldin Mall

A massive cyberattack struck university networks Tuesday morning, putting personal student, faculty and staff information at risk. 

Officials estimate 309,079 student, faculty and staff records were compromised, including names, birth dates, university ID numbers and Social Security numbers. No financial, medical or academic information was accessed, university officials said. 

The database that was accessed contained information from everyone who has received a university ID from the College Park or Shady Grove campuses since 1998. 

Because identity theft is possible, officials said the university will offer those affected one free year of credit monitoring from a yet-to-be-determined company.

The case has been passed on to state and federal law enforcement for investigation, said Brian Voss, the university’s vice president of information technology and chief information officer. Voss encouraged everyone affected to be “vigilant” regarding their credit accounts.

In a letter sent to the university community last night, university President Wallace Loh said the attack was “sophisticated” and officials are working to remedy the situation “with an abundance of caution and diligence.” 

“Universities are a focus in today’s global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools,” Loh wrote. “Obviously, we need to do more and better, and we will.”

Division of Information Technology officials detected a data breach Tuesday between 8 and 9 a.m., Voss said. 

Officials believe the information was accessed by an unknown source between 4 and 5 a.m. and then copied. No data were altered in the university’s networks, and university ID-related tasks, such as logging into Canvas or swiping into buildings, are unaffected, Voss said.

Within hours of detecting the breach, officials assembled a task force of law enforcement, computer forensic investigators and IT experts and began consulting with the FBI and state law enforcement.

“Someone worked around very stringent security and gained access to this data,” Voss said. “Whoever did this broke through multiple levels of security in order to get this file.”

Unlike some recent high-profile data breaches elsewhere, this university’s data breach did not occur as a result of a faulty preventative system or an IT mistake, Voss said.

“I wish it was an easy solution, that a mistake was made or a door was left open,” Voss said. “What troubles me as an IT professional is I know the university security is really good — really good. That someone was able to get through is a real point of concern not just for the University of Maryland, but for everybody.”

Voss said officials do not have any leads yet as to who the attacker is or where the attack was made from. 

Other universities have faced similar breaches. In 2010, a cyberattack on Ohio State’s systems affected 760,000 people, according to The New York Times, and a breach at the University of Wisconsin, Milwaukee, compromised 75,000 student and staff Social Security numbers in 2011.  

And in July 2008, this university’s Department of Transportation Services accidentally exposed personal data for all enrolled students at the time. The address labels on mailings sent to students about parking options were found to include the addressees’ Social Security numbers in addition to their names and addresses. 

In that breach, affected students were offered a free year of credit monitoring from Equifax, paid for by the university. 

“It’s never over,” Voss said. “You can never be perfectly safe because the bad guys come up with new ways of doing things, and we counter, and then they come up with new ways of doing things.”

Officials launched webpage umd.edu/datasecurity at about 6 p.m. yesterday, where community members can learn how to check the status of their personal information and get help figuring out what to do next. 

Officials encourage anyone with questions regarding the cyberattack to call a special hotline at 301-405-4440 or send an email to datasecurity@umd.edu.


Senior staff writers Yasmeen Abutaleb, Teddy Amenabar, and Jenny Hottle contributed to this report.